CVE-2018-20732

SAS Web Infrastructure Platform before 9.4M6 allows remote attackers to execute arbitrary code via a Java deserialization variant.

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Name	Vendor	Start Version	End Version
Web_infrastructure_platform	Sas	*	9.4 (excluding)
Web_infrastructure_platform	Sas	9.4 (including)	9.4 (including)
Web_infrastructure_platform	Sas	9.4-maintenance_release_1 (including)	9.4-maintenance_release_1 (including)
Web_infrastructure_platform	Sas	9.4-maintenance_release_2 (including)	9.4-maintenance_release_2 (including)
Web_infrastructure_platform	Sas	9.4-maintenance_release_3 (including)	9.4-maintenance_release_3 (including)
Web_infrastructure_platform	Sas	9.4-maintenance_release_4 (including)	9.4-maintenance_release_4 (including)
Web_infrastructure_platform	Sas	9.4-maintenance_release_5 (including)	9.4-maintenance_release_5 (including)

Make fields transient to protect them from deserialization.
An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.

NVD	https://nvd.nist.gov/vuln/detail/CVE-2018-20732
CWE	https://cwe.mitre.org/data/definitions/502.html

Deserialization of Untrusted Data