SAS® Cloud Analytic Services on SAS® Viya® 3.5 accepts cross-origin requests from any domain


Severity: High

Description: SAS Cloud Analytic Services on SAS Viya 3.5 accepts cross-origin requests from any domain.

Potential Impact: This issue might allow various types of attacks, including cross-site request forgery (CSRF).

To address this issue, complete the following steps:

  1. Update your SAS Viya environment to address this issue. See Updating Your SAS Viya Software for more information. 
  2. As "sas" user, log on to the SAS Viya server and open /opt/sas/viya/config/etc/cas/default/cas_usermods.settings in the text editor.
  3. Add the following line at the end of cas_usermods.settings.

    export TKHTTP_CORS_ALLOWED_ORIGINS="https://<your SAS Viya server domain>"

  4. Replace <your SAS Viya server domain> in the line above with your SAS Viya server's domain. For example, if you normally access the SAS Viya web application through a URL "https://www.example.com/SASXXXXX", then you must set the following: export TKHTTP_CORS_ALLOWED_ORIGINS="https://*.example.com"

    Note: This will allow all requests from https://*.example.com only on port 443.

  5. To allow cross-origin requests from domains other than your SAS Viya server's domain, add them by separating each domain with a comma as follows:

    export TKHTTP_CORS_ALLOWED_ORIGINS="https://*.domain1.com,https://*.domain2.com"

    The domain name and protocol are both processed while handling the cross-origin requests. For example, if the allowed domain contains the HTTPS protocol, then requests from the HTTP protocol will not be allowed; a preflight request with the HTTP protocol returns HTTP 200 OK without CORS headers, and the actual request is rejected.

    Note: If you set an empty value (""), all cross-origin requests from any origin are rejected. A CORS preflight request (OPTIONS) returns HTTP 200 OK without CORS Headers in response, indicating that the request is not allowed. The actual request (GET/POST and so on) returns HTTP 403:

    export TKHTTP_CORS_ALLOWED_ORIGINS="" # Any cross-origin requests are rejected and response will not contain CORS Headers.

    If you set an asterisk ("*"), all cross-origin requests from any origin are allowed:

    export TKHTTP_CORS_ALLOWED_ORIGINS="*" # All cross-origin requests are allowed with any domain and any protocol.

  6. Save cas_usermods.settings.
  7. Restart the sas-viya-cascontroller-default service: systemctl restart sas-viya-cascontroller-default
  8. Check the status of the sas-viya-cascontroller-default service: systemctl status sas-viya-cascontroller-default

Once the service is active (running), the fix is successfully applied.