Vulnerability in Apache 2.4.43 and older on Access Gateway r12.8.4 and older
search cancel

Vulnerability in Apache 2.4.43 and older on Access Gateway r12.8.4 and older

book

Article ID: 199990

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

Siteminder Access Gateway ships bundled with an instance of Apache HTTP Server.  The following is a list of Apache HTTP Server by Siteminder Access Gateway verion:

Access Gateway r12.8.4:  Apache HTTP Server 2.4.43
Access Gateway r12.8.5:  Apache HTTP Server 2.4.46
Access Gateway r12.8.6:  Apache HTTP Server 2.4.48
Access Gateway r12.8.6a:  Apache HTTP Server 2.4.52
Access Gateway r12.8.7:  Apache HTTP Server 2.4.54

KB 262099 delivers Apache HTTP Server 2.4.56 for Access Gateway Server:

KB 262099: Apache 2.4.56 for Siteminder Access Gateway

We're running a CA Access Gateway (SPS) and we'd like to know how to
prevent it from the following vulnerabilities :

   CVE-2020-9490

     A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request 

   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9490

   CVE-2020-11984
 
     Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
  
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11984
 
   CVE-2020-11993

     When trace/debug was enabled for the HTTP/2 module and on certain traffic edge pattern

   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11993

We noted that SPS runs Apache 2.4.43 :

  Defects Fixed in 12.8.04

    20068805, 31819372, 20243712, 31789696, 31790096, 31799363, 31821485
    DE432477, DE444233, DE451026, DE451486 Apache is upgraded to Apache
    2.4.43, OpenSSL is upgraded to OpenSSL 1.0.2u, and Tomcat is
    upgraded to 7.0.104.

  https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/release-notes/service-packs/Defects-Fixed-in-12_8_04.html

How can we fix this ?

 

Environment

Siteminder Access Gateway: r12.8.4 and older

Access Gateway OS: ANY

Cause

CVE-2020-9490
CVE-2020-11984
CVE-2020-11993

The CVE's listed impact Apache HTTP Server 2.4.43 and older, which ships with Siteminder Access Gateway r12.8.4.

Resolution

This KB is superseded by the following KB:

KB 262099 delivers Apache HTTP Server 2.4.56 for Access Gateway Server:

KB 262099: Apache 2.4.56 for Siteminder Access Gateway

 

 

Powered by Wolken Software