SAS® Content Server contains a version of Apache Jackrabbit that is affected by CVE-2023-37895


Severity: Critical

Description: SAS® 9.4 SAS Content Server is a part of SAS® Web Infrastructure Platform (WIP) and is based on the Apache Jackrabbit content repository.

The security vulnerability CVE-2023-37895 has been reported against Jackrabbit due to its support of Remote Method Invocation (RMI). The latest versions of Jackrabbit disable RMI support by default to remediate this CVE.

Potential Impact: Refer to the CVE record for details.

Solution: RMI support is enabled by default in SAS 9.4 SAS Content Server, but accessing it is possible only after authentication with the proper security credentials. Sites that further require that RMI support be disabled can complete the following steps after the completion of an installation and configuration. You might need to reverse these steps before adding or redeploying web applications or before any other action that requires loading content to the SAS 9.4 SAS Content Server:

  1. Stop SASServer1_1.
    • In Unix operating environments, submit the following command: sas-configuration-directory/Lev1/Web/WebAppServer/SASServer1_1/bin/tcruntime-ctl.sh stop.
    • In Microsoft Windows operating environments, stop the server by using the Services window.

  2. Locate and make a backup copy of the web.xml file used by the SAS 9.4 SAS Content Server: cd sas-configuration-directory/Lev1/Web/WebAppServer/SASServer1_1/sas_webapps/sas.svcs.scs.war/WEB-INF.
    • Unix: cp web.xml web.xml.orig
    • Microsoft Windows: copy web.xml web.xml.orig

  3. Comment out the Remote Binding tag under the Remote Binding Servlet section of web.xml:

    <!-- 
        <servlet>
              <servlet-name>RMI</servlet-name>
              <servlet-class>org.apache.jackrabbit.servlet.remote.RemoteBindingServlet</servlet-class>
         </servlet>
         -->

  4. Comment out the Servlet Mapping tag under the Servlet Mappings header:

    <!-- 
         <servlet-mapping>
              <servlet-name>RMI</servlet-name>
              <url-pattern>/rmi</url-pattern>
         </servlet-mapping>
         -->

  5. Start SASServer1_1.
    • In Unix operating environments, submit the following command: sas-configuration-directory/Lev1/Web/WebAppServer/SASServer1_1/bin/tcruntime-ctl.sh start.
    • In Microsoft Windows operating environments, start the server by using the Services window.