cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
paterd2
Obsidian | Level 7 paterd2
Obsidian | Level 7
Go to Solution

Postgres CVE-2020-13692

Posted 11-02-2020 06:04 AM (448 views)

Good day.

I got a question concerning the following.

Is  SAS 9.4 vulnerable for the following postgres flaw ?

 

Description of problem:

An XML eXternal Entity (XXE) flaw was discovered in the PgSQLXML implementation that is known as CVE-2020-13692. This flaw could possibly allow disclosure of confidential data (such as content of local files), denial of service, server side request forgery (SSRF), or other impacts, if specially crafted XML documents are processed by PgSQLXML.

In order to fix the CVE-2020-13692 issue, the PgSQLXML implementation in postgresql-jdbc was modified to disable loading of external entities and document type definitions (DTD) by default. This change may introduce a regression in environments that rely on processing of external entities or DTDs.

 

For environments that require processing of external entities or DTDs, it is possible to configured PgSQLXML to use the previous behaviour and perform loading of external objects. This legacy behaviour can be enabled for each database connection by setting the xmlFactoryFactory property to the value of LEGACY_INSECURE.

Note: This setting enables processing of external entities and DTDs and therefore re-introduces the CVE-2020-13692 issue. It should only be used when XML documents stored in a database and processed using the PgSQLXML are fully trusted.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions
Anand_V
Ammonite | Level 13 Anand_V
Ammonite | Level 13

Re: Postgres CVE-2020-13692

Posted 11-02-2020 08:04 PM (395 views)  |   In reply to paterd2

Hi @paterd2 

 

You can find the security bulletins and vulnerabilities related information from SAS at this site: https://support.sas.com/en/security-bulletins.html#security-bulletins

I don't see the postgres one listed. I would suggest you to raise a technical support track to get it confirmed. You can raise a track by emailing the details to support@sas.com

 

View solution in original post

1 REPLY 1
Anand_V
Ammonite | Level 13 Anand_V
Ammonite | Level 13

Re: Postgres CVE-2020-13692

Posted 11-02-2020 08:04 PM (396 views)  |   In reply to paterd2

Hi @paterd2 

 

You can find the security bulletins and vulnerabilities related information from SAS at this site: https://support.sas.com/en/security-bulletins.html#security-bulletins

I don't see the postgres one listed. I would suggest you to raise a technical support track to get it confirmed. You can raise a track by emailing the details to support@sas.com

 

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 1 reply
  • ‎11-02-2020 06:04 AM
  • 449 views
  • 1 like
  • 2 in conversation