Updates for Java Deserialization Vulnerability

Providing software solutions since 1976

The following downloads address the Java Deserialization Vulnerability as described on SAS Statement Regarding the Java Deserialization Vulnerability.
This page contains a security update and the hot fixes necessary to address the Java deserialization vulnerability. Before attempting to apply the security update or hot fixes on this page, read Addressing the Java Deserialization Vulnerability for SAS Software (sas-security-update-2015-11.pdf) in its entirety. This PDF describes the steps in the order they should be taken to update your SAS software.

SAS Security Update 2015-11

All Hosts Released: February 15, 2016 Documentation: sas-security-update-2015-11.pdf Download: sas-security-update-2015-11.zip

The SAS Security Update 2015-11 may be applied to any SAS Installation running SAS 9.4_M3.

IMPORTANT (1): If you downloaded a SAS 9.4_M3 order for Ship Event 15w47 or later (after December 15, 2015), the fixes in SAS Security Update 2015-11 are included in your order. You do not need to run sas-security-update-2015-11.

Hot Fix Y09001 - Supplemental Hot Fix for SAS Security Update 2015-11

All Hosts Released: February 15, 2016 Documentation: Y09001pt.pdf Download: Y09001pt.zip

IMPORTANT (1): SAS Security Update 2015-11 (see above) must be applied before installing Y09001.
IMPORTANT (2): Please review Y09001pt.pdf to see the list of SAS Products that will be updated by Y09001. See SASNote 35968 for information on how to determine if you have these products installed as part of your SAS deployment.

Hot Fix V77004 for SAS Web Server 9.4_M3

Windows for x64 Released: February 15, 2016 Documentation: V77004x6.html ^D Download: V77004pt.zip

64-bit Enabled Solaris Released: February 15, 2016 Documentation: V77004s6.html ^D Download: V77004pt.zip

64-bit Enabled AIX Released: February 15, 2016 Documentation: V77004r6.html ^D Download: V77004pt.zip

HP-UX IPF Released: February 15, 2016 Documentation: V77004hx.html ^D Download: V77004pt.zip

Linux for x64 Released: February 15, 2016 Documentation: V77004la.html ^D Download: V77004pt.zip

Solaris for x64 Released: February 15, 2016 Documentation: V77004sx.html ^D Download: V77004pt.zip

^D indicates that the Documentation has special pre-installation, post-installation or other unique instructions not commonly used for hot fix deployment.

IMPORTANT: Please review the V77004 - SAS Web Server 9.4_M3 Hot Fix Download Page for a list of additional issues addressed by hot fix V77004.

PLEASE CAREFULLY READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT ("AGREEMENT") BEFORE DOWNLOADING MATERIALS FROM THIS SITE. BY DOWNLOADING ANY MATERIALS FROM THIS SITE, YOU ARE AGREEING TO THESE TERMS.

You are downloading software code ("Code") which will become part of a product ("Software") you currently have licensed from SAS Institute Inc. or one of its subsidiaries ("the Institute"). This Code is designed to either correct an error in the Software or to add functionality to the Software. The code is governed by the same agreement which governs the Software. If you do not have an existing agreement with the Institute governing the Software, you may not download the Code.

SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. ^® indicates USA registration. Other brand and product names are registered trademarks or trademarks of their respective companies.