Vulnerabilities in OpenSSL 1.0.2zm and Older on Siteminder Access Gateway r12.8.x
search cancel

Vulnerabilities in OpenSSL 1.0.2zm and Older on Siteminder Access Gateway r12.8.x

book

Article ID: 429351

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

Vulnerabilities with OpenSSL 1.0.2zm and older on Symantec Siteminder Access Gateway r12.8.x have been published.

Symantec Siteminder Access Gateway bundles OpenSSL 1.0.2 with all versions of r12.8.x

KB 274048 (archived) delivered OpenSSL 1.0.2zi
KB 280151 (archived) delivered OpenSSL 1.0.2zj
KB 385668 (archived) delivered OpenSSL 1.0.2zk
KB 420181 (archived) delivered OpenSSL 1.0.2zl
KB 429563 (archived) delivered OpenSSL 1.0.2zm

NOTE: Siteminder r12.9 ships with OpenSSL 3.0.x and is not impact by these CVE's.

Environment

PRODUCT: Siteminder

COMPONENT: Access Gateway 

OPERATING SYSTEM: ANY

VERSION: 12.8.8.1 and older

Cause

CVE-2026-22796 "ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function"

SEVERITY: Low

DESCRIPTION: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data.

IMPACTED: OpenSSL 1.0.2 - 1.0.2zm

REMEDIATED: OpenSSL 1.0.2zn

 

CVE-2025-69421 "NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function"

SEVERITY: Low

DESCRIPTION: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write.

IMPACTED: OpenSSL 1.0.2 - 1.0.2zm

REMEDIATED: OpenSSL 1.0.2zn

 

CVE-2025-68160 "Heap out-of-bounds write in BIO_f_linebuffer on short writes"

SEVERITY: Low

DESCRIPTION: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write.

IMPACTED: OpenSSL 1.0.2 - 1.0.2zm

REMEDIATED: OpenSSL 1.0.2zn

Resolution

Upgrade OpenSSL on Siteminder Access Gateway servers to OpenSSL 1.0.2zn.

Verifying the OpenSSL version on Siteminder Access Gateway

###### UPGRADE INSTRUCTIONS ######


OpenSSL 1.0.2zn on Linux Installation Instructions

1) Copy "Openssl102zn_1280801GA_and_Below_linux.zip" to the Access Gateway Server

2) Unzip "Openssl102zn_1280801GA_and_Below_linux.zip"

Unzip Openssl102zn_1280801GA_and_Below_linux.zip

3) Stop the Access Gateway Server.

4) Navigate to the '<InstallDir>/CA/secure-proxy/' directory.

5) Note the permissions on the contents of the '<InstallDir>/CA/secure-proxy/SSL/bin' directory.

6) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/bin' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/bin/openssl

7) Copy the contents of the '/Openssl102zn_1280801GA_and_Below_linux/bin/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/bin/' directory.

CONTENTS: openssl

EXAMPLE: cp -r /Openssl102zn_1280801GA_and_Below_linux/bin/* /<InstallDir>/CA/secure-proxy/SSL/bin/

8) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/lib/' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so
<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so.1.0.0
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so.1.0.0

9) Copy the contents of the '/Openssl102zn_1280801GA_and_Below_linux/lib/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/lib/' directory.

CONTENTS:

libcrypto.so
libcrypto.so.1.0.0
libssl.so
libssl.so.1.0.0

EXAMPLE: cp -r /Openssl102zn_1280801GA_and_Below_linux/SSL/lib/* ./<InstallDir>/CA/secure-proxy/SSL/lib/

10) Re-set the permissions on the copied files.

11) Re-source the environment variables;

. ./ca_sps_env.sh

13) Re-start the Access Gateway.

./proxy-engine/sps-ctl start

 

OpenSSL 1.0.2zm Windows Installation Instructions

1) Copy "Openssl102zn_1280801GA_and_Below_win64.zip" to the Access Gateway Server

2) Unzip "Openssl102zn_1280801GA_and_Below_win64.zip"

3) Stop the Access Gateway server

4) Browse to the "<Install_Dir>\CA\secure-proxy\SSL\bin\" directory in Access Gateway

Default: <Install_Dir> = C:\Program Files\

5) Back-up either the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory, or the following files:

<Install_Dir>\CA\secure-proxy\SSL\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\SSL\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\SSL\bin\ssleay32.dll

6) Copy the contents of '\Openssl102zn_1280801GA_and_Below_win64.zip\' folder to the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory.

CONTENTS:

openssl.exe
libeay32.dll
ssleay32.dll

7) Back-up either the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory, or the following files:

<Install_Dir>\CA\secure-proxy\httpd\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\httpd\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\httpd\bin\ssleay32.dll

8) Copy the contents of '\Openssl102zn_1280801GA_and_Below_win64.zip\' folder to the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory.

CONTENTS:

openssl.exe
libeay32.dll
ssleay32.dll

9) Start the Access Gateway server

 

 

Additional Information

Verifying the OpenSSL version on Siteminder Access Gateway

OpenSSL 1.0.2 Vulnerabilities

OpenSSL 1.0.2zn remediates the following CVE's:

CVE-2026-68160
CVE-2025-69421
CVE-2025-22796
CVE-2025-9230
CVE-2024-13176
CVE-2024-9143
CVE-2024-5535
CVE-2024-0727
CVE-2023-5678
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-0465
CVE-2023-0466
CVE-2023-0464
CVE-2023-0286
CVE-2023-0215
CVE-2022-4304

Attachments

Openssl102zn_1280801GA_and_Below_linux.zip.zip get_app
Openssl102zn_1280801GA_and_Below_win64.zip.zip get_app
Powered by Wolken Software