BookmarkSubscribeRSS Feed
Aasth
Quartz | Level 8

Hi,

 

We are using SAS 9.4M6 on AIX servers. We found out several Tomcat Vulnerabilities on Rapid 7 report which referenced older tomcat versions in SAS Environment Manager and SAS Web App Server which are not currently being used by our servers ( I checked the start up logs to find the current versions of tomcat being used , which is 8.5 for the SAS Web App and 9.0 for Env Manager)

 

Below are the vulns listed with their respective locations referred in the report:

 

Apache Tomcat: Low: Directory disclosure (CVE-2015-5345)

Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)

Apache Tomcat: Obsolete version

Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)

Apache Tomcat: Low: Limited directory traversal (CVE-2015-5174)

Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)

Apache Tomcat: Low: Security Manager Bypass (CVE-2016-5018)

Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)

Apache Tomcat: Important: Information Disclosure (CVE-2017-5647)

Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)

Apache Tomcat: Important: Information Disclosure (CVE-2016-6816)

Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)

Apache Tomcat: Low: Security Manager Bypass (CVE-2016-6796)

Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)

Apache Tomcat: Low: Unrestricted Access to Global Resources (CVE-2016-6797)

Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)

Apache Tomcat: Low: System Property Disclosure (CVE-2016-6794)

Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)

Apache Tomcat: Low: Timing Attack (CVE-2016-0762)

Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)

Apache Tomcat: Low: Security Manager bypass (CVE-2016-0706)

Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)

Apache Tomcat: Moderate: Security Manager bypass (CVE-2016-0714)

Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)

Apache Tomcat: Important: Remote Code Execution (CVE-2016-8735)

Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)

Apache Tomcat: Important: Information Disclosure (CVE-2016-8745)

Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)

Apache Tomcat: Important: Remote Code Execution on Windows (CVE-2019-0232)

Vulnerable software installed: Apache Tomcat 7.0.55.A (/sas/install/SASHome/SASWebApplicationServer/9.4-1/9.4/tomcat-7.0.55.A.RELEASE/lib/catalina.jar)

 

 

I deleted the  sas/install/SASHome/SASWebApplicationServer/9.4-1 folder for the last vuln but I am not sure if the hotfix folder can be deleted? I checked our current installer report and found that the following bundled hot fix is installed:

 

1.png

 

The link for that hotfix is : http://ftp.sas.com/techsup/download/hotfix/HF2/V/V77/V77014/xx/r64/V77014r6.html

 

This hotfix is now replaced by Hotfix : V77017 : http://ftp.sas.com/techsup/download/hotfix/HF2/V77.html#V77014

 

But, it is still listed for SAS Web Server 9.4_M3. We are currently using SAS 9.4_M6. 

 

Can I remove the old hotfix folder ? Or have to install the new one? Please suggest

2 REPLIES 2
AnandVyas
Ammonite | Level 13
Hi @Aasth,

Have you checked the SAS Security Bulletin board for SAS 9.4 M6 Version? Here: https://support.sas.com/en/security-bulletins.html

Most of the CVEs listed by you are already taken care as part of SAS Security Update for 9.4 M6. You can find the list of vulnerabilities addressed in this link: https://support.sas.com/en/security-bulletins/sas-security-update-for-sas-94m6.html#df3f745d-c882-4b...

It has also a hyperlink to the solution for these vulnerabilities. Here: http://ftp.sas.com/techsup/download/hotfix/HF2/SAS_Security_Updates.html

Suggest you to apply those instead of deleting any binaries.

Thanks!
nhvdwalt
Barite | Level 11

Some good advise by @AnandVyas , thanks.

 

@Aasth , for questions like these, I would advise you to rather log a call with SAS Technical Support and resolve through that channel.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 2 replies
  • 1114 views
  • 2 likes
  • 3 in conversation