A SAS 9.4M8 (TS1M8) security update leaves old JAR files when updating


Severity: Critical

Description: When you apply the SAS security update for SAS 9.4M8, some old JAR files might be left behind. The following is a list of the JAR files that are affected:

JAR NameJAR PathJAR Version
commons-net.jar$SASHome\SASVersionedJarRepository\eclipse\plugins\commons_net_2.0.0.0_SAS_20121211183207\commons-net.jar2
spring-security-acl.jar$SASHome\SASVersionedJarRepository\eclipse\plugins\org.springframework.security_3.1.0.0_SAS_20200313123235\spring-security-acl.jar3.1.0.RELEASE
spring-security-aspects.jar$SASHome\SASVersionedJarRepository\eclipse\plugins\org.springframework.security_3.1.0.0_SAS_20200313123235\spring-security-aspects.jar3.1.0.RELEASE
spring-security-cas.jar$SASHome\SASVersionedJarRepository\eclipse\plugins\org.springframework.security_3.1.0.0_SAS_20200313123235\spring-security-cas.jar3.1.0.RELEASE
spring-security-config.jar$SASHome\SASVersionedJarRepository\eclipse\plugins\org.springframework.security_3.1.0.0_SAS_20200313123235\spring-security-config.jar3.1.0.RELEASE
spring-security-core.jar$SASHome\SASVersionedJarRepository\eclipse\plugins\org.springframework.security_3.1.0.0_SAS_20200313123235\spring-security-core.jar3.1.0.RELEASE
spring-security-crypto.jar$SASHome\SASVersionedJarRepository\eclipse\plugins\org.springframework.security_3.1.0.0_SAS_20200313123235\spring-security-crypto.jarNone
spring-security-ldap.jar$SASHome\SASVersionedJarRepository\eclipse\plugins\org.springframework.security_3.1.0.0_SAS_20200313123235\spring-security-ldap.jar3.1.0.RELEASE
spring-security-openid.jar$SASHome\SASVersionedJarRepository\eclipse\plugins\org.springframework.security_3.1.0.0_SAS_20200313123235\spring-security-openid.jar3.1.0.RELEASE
spring-security-remoting.jar$SASHome\SASVersionedJarRepository\eclipse\plugins\org.springframework.security_3.1.0.0_SAS_20200313123235\spring-security-remoting.jar3.1.0.RELEASE
spring-security-taglibs.jar$SASHome\SASVersionedJarRepository\eclipse\plugins\org.springframework.security_3.1.0.0_SAS_20200313123235\spring-security-taglibs.jar3.1.0.RELEASE
spring-security-web.jar$SASHome\SASVersionedJarRepository\eclipse\plugins\org.springframework.security_3.1.0.0_SAS_20200313123235\spring-security-web.jar3.1.0.RELEASE
xstream.jar$SASHome\SASVersionedJarRepository\eclipse\plugins\xstream_1.4.18.0_SAS_20211018112205\xstream.jar1.4.18
stax2-api.jar$SASHome\SASVersionedJarRepository\eclipse\plugins\stax_parser_4.0.8.0_SAS_20121211183332\stax2-api.jar3.0.2

 

Potential Impact: Old files might be left behind and not cleared when you install the SAS security update for SAS 9.4M8. Although these files should not be referenced, and therefore should not present an exploitable vulnerability, they might cause security scanners to flag these files, including for critical-level vulnerabilities.

To address this issue, apply the current security update available at Applying SAS Security Updates and Hot Fixes.