The Triple DES encryption ciphers in SAS Web Server are susceptible to the Sweet32 vulnerability that is described in Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN. To eliminate this vulnerability, disable the Triple DES ciphers, as described below.

SAS Web Server is typically configured for HTTPS by editing SAS-configuration-directory\Levn\Web\WebServer\conf\extra\httpd-ssl.conf, as described in SAS^® 9.4 Intelligence Platform: Middle-Tier Administration Guide. Encryption ciphers are specified in this file via the SSLCipherSuite directive, which is documented in Apache Module mod_ssl. To disable the Triple DES ciphers, remove them from the cipher-spec in the SSLCipherSuite directive, along with any alias that includes them. 

The Triple DES ciphers are part of the OpenSSL library included in SAS Web Server. For more information about OpenSSL and Sweet32, see The SWEET32 Issue, CVE-2016-2183.