This KB article covers known security vulnerabilities with updating or upgrading SAS Web Infrastructure Platform Database. 

Overview

Severity: Medium

Description: The following versions of PostgreSQL are used as the underlying technology for the SAS Web Infrastructure Platform Data Server:

• PostgreSQL 9.5.x, which is used with SAS^® 9.4M6 (TS1M6) 
• PostgreSQL 12.x, which is used with SAS^® 9.4M7 (TS1M7)
• PostgreSQL 14.x, which is used with SAS^® 9.4M8 (TS1M8)

Updates to these versions of SAS are being offered to keep current with security fixes to PostgreSQL.

These versions of PostgreSQL ​​​​​have the following known security vulnerabilities:

• Vulnerability Summary for CVE-2023-39417
• Vulnerability Summary for CVE-2023-2455
• Vulnerability Summary for CVE-2023-2454
• ​​​​​Vulnerability Summary for CVE-2022-41862
• Vulnerability Summary for CVE-2022-37434
• Vulnerability Summary for CVE-2022-2625
• Vulnerability Summary for CVE-2022-2068
• Vulnerability Summary for CVE-2022-1552
• Vulnerability Summary for CVE-2022-1292
• Vulnerability Summary for CVE-2022-0778
• Vulnerability Summary for CVE-2021-32029
• Vulnerability Summary for CVE-2021-32028
• Vulnerability Summary for CVE-2021-32027
• Vulnerability Summary for CVE-2021-23222
• Vulnerability Summary for CVE-2021-23214
• Vulnerability Summary for CVE-2021-3677
• Vulnerability Summary for CVE-2021-3393
• Vulnerability Summary for CVE-2020-25696
• Vulnerability Summary for CVE-2020-25695
• Vulnerability Summary for CVE-2020-25694
• Vulnerability Summary for CVE-2020-14350
• Vulnerability Summary for CVE-2020-14349
• Vulnerability Summary for CVE-2020-10733
• Vulnerability Summary for CVE-2019-10211
• Vulnerability Summary for CVE-2019-10210
• Vulnerability Summary for CVE-2019-10208
• Vulnerability Summary for CVE-2019-10130
• Vulnerability Summary for CVE-2019-10128
• Vulnerability Summary for CVE-2019-10127

Potential Impact: These security concerns have the following impacts:

• Denial of service.
• Access to higher privileged connections.
• Access to execute arbitrary SQL statements as owner.
• An opportunity for a man-in-the-middle attack or the ability to observe cleartext transmissions.
• Creation of non-temporary objects can execute arbitrary SQL functions under the identity of a super user.
• Buffer overrun from integer overflow in array subscripting calculations.
• Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE.
• Memory disclosure in partitioned-table UPDATE ... RETURNING.
• Vulnerabilities in Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck.

SAS supports all versions of the database delivered with the product but only the latest version, PostgreSQL 12.x, continues to receive security fixes from the PostgreSQL community.

SAS^® 9.4M0 (TS1M0) to SAS^® 9.4M5 (TS1M5) delivered PostgreSQL 9.1.x for the SAS^® Web Infrastructure Platform Data Server. With the exception of SAS 9.4M5, these databases cannot be updated or upgraded to a later release. The latest release that SAS 9.4M5 can be upgraded to is PostgreSQL 9.4.24, which is currently out of support by the PostgreSQL community.  If you require SAS 9.4M5 to be upgraded to that release, contact SAS Technical Support for the manual steps.

Hot Fixes

The hot fixes in this KB article address the following scenarios:

• The SAS version is SAS 9.4M6, and you are updating 9.5.x.
• The SAS version is SAS 9.4M7, and you are updating 12.x.
• The SAS version is SAS 9.4M8, and you are updating 14.x.

SAS 9.4M6

It is highly recommended that, if you run SAS 9.4M6 and you require security updates to PostgreSQL, you upgrade to SAS 9.4M7 and PostgreSQL 12.x.

If you are unable to update to SAS 9.4M7 at this time but still require PostgreSQL 12.x, then you must contact SAS Technical Support for the paper about how to manually update PostgreSQL 9.x to 12.x.

If you are at SAS 9.4M6 and have already upgraded to PostgreSQL 12, then you can apply the hot fix in this note to update the PostgreSQL database to 12.8.

If you would like to update SAS 9.4M6 to the latest PostgreSQL 9.5.x supported and you have not yet upgraded to PostgreSQL ​​​​​9.5.x, then you must follow the directions in the documentation Upgrading PostgreSQL.  

Once your database is at 9.5.x or if it already is at 9.5.x from an out-of-the-box installation, then you can apply the hot fix in this note to update the PostgreSQL database to 9.5.24. ​​​

SAS 9.4M7

If you run SAS 9.4M7 and you have not yet upgraded to PostgreSQL 12.x, then you must follow the directions in the documentation Upgrading PostgreSQL if you want to keep receiving security fixes for your PostgreSQL instances.

Once your database is at 12.x or if it is already at 12.x from an out-of-the-box installation, then you can apply the hot fix in this note to update the PostgreSQL database to 12.20.

SAS 9.4M8

If you run SAS 9.4M8 and you have not yet upgraded to PostgreSQL 14.x, then you must follow the directions in the documentation Upgrading PostgreSQL if you want to keep receiving security fixes for your PostgreSQL instances.

Once your database is at 14.x or if it is already at 14.x from an out-of-the-box installation, then you can apply the hot fix in this note to update the PostgreSQL database to 14.17.

A Possible Upgrade Issue

Note that when you perform the upgrade, sometimes the cursor is not returned to the user. The upgrade appears to stop responding after it reports that all databases have been upgraded. It is safe to press Ctrl-C to exit the upgrade at this point.