Severity: Informational
Description: Security scanners might flag the angular.min.js file in SAS Visual Investigator as vulnerable to the AngularJS CVEs.
Potential Impact: SAS has confirmed that SAS® Viya® 3.5 is not affected by these CVEs.
If you run a security scan on a SAS Viya 3.5 environment with SAS Visual Investigator installed, the following URL might be flagged as vulnerable to the known CVEs of AngularJS 1.8.
https://hostname/SASVisualInvestigator/webjars/angularjs/1.8.0/angular.min.js
The CVE numbers that could be flagged for these files are as follows:
SAS confirmed that if SAS® Visual Investigator 10.8 has the Hot Fix 9 applied, then SAS Viya 3.5 is not vulnerable to any of the above CVEs.
The AngularJS library detected in the above URL is a custom version of AngularJS managed by SAS. The source code of this custom AngularJS library was forked from the original AngularJS v1.8, but it is customized for SAS applications. SAS has always been patching its affected source code when it is discovered that it is affected by AngularJS vulnerabilities.
SAS confirmed that all the above vulnerabilities in the original AngularJS v1.8 are already remediated in the SAS fork version of AngularJS or have been verified that there is no impact to the SAS applications.
Below is the impact analysis on each CVE by SAS.
As per the problem description in https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113, "Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking."
SAS confirmed the "ng-srcset" directive is not used in our web applications. As a result, SAS Viya 3.5 is not affected by CVE-2024-21490.
As per the problem description in https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044, "Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression." This means that, in order to exploit this vulnerability, the "angular.copy()" function must be called, and "an insecure regular expression" must be given.
SAS confirmed that we use the "angular.copy()" call, but we do not use it in such a way that could lead to the vulnerability CVE-2023-26116. Also, the regular expressions in our source code are all hardcoded, and as a result, attackers cannot inject "an insecure regular expression" to our applications. Therefore, SAS Viya 3.5 is not affected by CVE-2023-26116.
As per the problem description in https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046, "Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality."
SAS confirmed that we don't use the 'type="url"' attribute for <input> elements. Therefore, SAS Viya 3.5 is not affected by CVE-2023-26118.
As per the problem description in https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045, "Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression", and "The vulnerability manifests itself when the $resource service is used with a URL that contains a large number of slashes followed by a non-slash character (for example, /some/url/////.../////foo):."
SAS confirmed that the $resource calls in our source code do not accept templated strings or variables that use templated strings that are user-derived, meaning attackers cannot input such strings like "a large number of slashes followed by a non-slash character" to the $resource calls. Therefore, SAS Viya 3.5 is not affected by CVE-2023-26117.
As per the problem description in https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2772735, "Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value."
SAS confirmed that we do not use custom locale rules in our applications and there is no way attackers could add a custom locale rule. Therefore, SAS Viya 3.5 is not affected by CVE-2022-25844.
As per the problem description in https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781, "Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements."
SAS confirmed that SAS Viya 3.5 is not vulnerable to CVE-2022-25869 because it affects only the Internet Explorer, and SAS Viya 3.5 does not support Internet Explorer.
As mentioned in Support for Web Browsers in SAS® Viya® 3.5, the following web browsers are supported by SAS Viya 3.5 user interfaces:
Internet Explorer is not included in the above list, meaning it is not supported in SAS Viya 3.5.
Also, it is stated in Support for Web Browsers in SAS® Viya® 3.5 that Internet Explorer 11 is supported as a web browser for CAS Server Monitor. However, CAS Server Monitor is disabled by default.(See CAS Environment Variables Reference, which states that the env.CAS_START_MONITOR_UI option is set to FALSE by default, meaning that CAS Server Monitor is disabled by default). Also, CAS Server Monitor does not contain AngularJS. Therefore, SAS Viya 3.5 is not vulnerable to CVE-2022-25869
Product Release
| Reported | Fixed |
| 3.5 |