The following downloads address the Java Deserialization and Other Security Vulnerabilities as described on SAS Statement Regarding the Java Deserialization Vulnerability.

This page contains a security update and the hot fixes necessary to address Java deserialization and other security vulnerabilities. Before attempting to apply the security update or hot fixes on this page, read Addressing the Java Deserialization Vulnerability for SAS Software (sas-security-update-2017-09.pdf) in its entirety. This PDF describes the steps in the order they should be taken to update your SAS software.

IMPORTANT:If you downloaded a SAS 9.4_M3 or higher order after November 20, 2017, the fixes in SAS Security Update 2017-09 are included in your order. The SAS Deployment Wizard will install SAS Security Update 2017-09 listed above during your software deployment or update. Customers who have downloaded and applied any SAS Security Update prior to November 20, 2017 should download and apply SAS Security Update 2017-09 to receive the most current security fixes.

IMPORTANT (1): SAS Security Update 2017-09 (see above) must be applied before installing Y09005.

IMPORTANT (2): Please review Y09005pt.pdf to see the list of SAS Products that will be updated by Y09005. See SASNote 35968 for information on how to determine if you have these products installed as part of your SAS deployment.

IMPORTANT (3): If you downloaded a SAS Software order after November 20, 2017, and have any of the products listed in Y09005pt.pdf, the fixes in Y09005 are included in your order and will be automatically installed by the SAS Deployment Wizard.

The SAS Hot Fix Analysis, Download and Deployment Tool (SASHFADD) can be used to identify and download product specific hot fixes for any security vulnerabilities that are applicable for your SAS Deployment. These hot fixes will be identified in the SASHFADD ANALYSIS_ Report by the reference to SASNote 58607.