BookmarkSubscribeRSS Feed
epower
Quartz | Level 8

Am I missing a place to stay up to date on release information? I was even manually going through hotfix announcement and everything is around VIYA and not touching 9.4

 

Anyone have insights? This is just a sliver of the security findings I'm having to deal with and there seems to be no fixes and M8 wont be available now until the end of the year...

 

Path              : /opt/local/sas/sas94/SASHome/SASWebServer/9.4/httpd-2.4.43/bin/httpd
  Installed version : 2.4.43
  Fixed version     : 2.4.46
CVE-2020-11984 CVE-2020-11993 CVE-2020-9490 

 

Path              : /opt/local/sas/sas94/SASHome/SASWebServer/9.4/httpd-2.4.43/bin/httpd
  Installed version : 2.4.43
  Fixed version     : 2.4.47
CVE-2019-17567 CVE-2020-13938 CVE-2020-13950 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641 
8 REPLIES 8
epower
Quartz | Level 8

Thanks for the response.. Looks like it does help but still pretty old if that's the latest update.

 

 

Path              : /opt/local/sas/sas94/SASHome/SASWebServer/9.4/httpd-2.4.43/bin/httpd
  Installed version : 2.4.43
  Fixed version     : 2.4.52
CVE-2021-44224 CVE-2021-44790 
alexal
SAS Employee
Contact SAS Technical Support if you have any concerns

https://www.sas.com/en_us/contact/technical-support.html
gwootton
SAS Super FREQ
SAS security updates can be found here:

https://support.sas.com/en/security-bulletins.html

The "SAS Security Update for SAS 9.4 Mx" (where x is your maintenance release) specifically might be of interest to you.
--
Greg Wootton | Principal Systems Technical Support Engineer
epower
Quartz | Level 8

This is kind of my point... If you look there you see they barely have anything.. They speak about Log4J and thats about it.

Kurt_Bremser
Super User

In my opinion, SAS (and their partner who provides httpd and tomcat) are EXTREMELY sloppy with security-updates for apache and tomcat. These should have their own hotfix downloads and these hotfixes have to be available at max a week (or so, the quicker, the better) after issued by the Apache Foundation themselves.

We had less security hassles when we used our own http/tomcat/boss.

gwootton
SAS Super FREQ
The SAS Security Update for 9.4 M7 December release addresses 32 additional CVEs to the September release.

https://support.sas.com/content/support/en/security-bulletins/SAS-security-update-for-SAS94M7-TS1M7....
--
Greg Wootton | Principal Systems Technical Support Engineer

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 8 replies
  • 1453 views
  • 2 likes
  • 5 in conversation