search cancel

Apache HTTPD 2.4.42 available for Access Gateway

book

Article ID: 189189

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

The following CVE's have been reported for Apache 2.4.41 and older.  The current version of Apache shipped with Siteminder Access Gateway r12.8.x is 2.4.39, however there are patches to upgrade to Apache 2.4.41.  These CVE's impact Apache 2.4.41 as well.

mod_proxy_ftp use of uninitialized value (CVE-2020-1934)
mod_rewrite CWE-601 open redirect (CVE-2020-1927)

Environment

Release : 12.8.03

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

The release of Access Gateway r12.8.4 will include either Apache 2.4.42 or 2.4.43. Access Gateway r12.8.4 is scheduled for release in late May.

The following modules are used by Access Gateway:

mod_alias.so
mod_authz_core.so
mod_env.so
mod_jk.so
mod_log_config.so
mod_mime.so
mod_setenvif.so
mod_slotmem_shm.so
mod_socache_shmcb.so
mod_ssl.so
(UNIX) mod_unixd.so

The vulnerabilities reported are with:

mod_proxy_ftp use of uninitialized value (CVE-2020-1934)
mod_rewrite CWE-601 open redirect (CVE-2020-1927)

###### PROPOSED RESOLUTION ######

1) remove the following modules from Apache:

mod_proxy_ftp
mod_rewrite

2) Consider upgrading to Access Gateway r12.8.4 when it is released in late May.