CA SSO Access Gateway 12.8 SP2 vulnerabilities

book

Article ID: 207095

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

We're running a CA Access Gateway (SPS) 12.8SP2 and we've found the
following vulnerabilities :

  -  Apache 2.4.37 < 2.4.46 (Multiple Vulnerabilities - HIGH)
  -  OpenSSL 1.0.2k < 1.0.2u  (Procedure Overflow Vulnerability - Medium)

How can we get these vulnerabilities patched ?

 

Environment

SPS 12.8SP2

Resolution

 

The CA Access Gateway (SPS) version 12.8SP5 brings the patched Apache
version 2.4.46 and OpenSSL 1.0.2u :

  Defects Fixed in 12.8.05

    32241741 DE480193 Apache HTTP Server is upgraded to Apache HTTP
    Server 2.4.46.

    32380551 DE485132 OpenSSL is upgraded to OpenSSL 1.0.2x.

  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/service-packs/Defects-Fixed-in-12_8_05.html

Policy Server and CA Access Gateway (SPS) 12.8SP5 can be found here :

  CA Single Sign-On (formerly CA SiteMinder) Hotfix/Cumulative Release Index

    SSO Policy Server r12.8 SP05
    https://support.broadcom.com/download-center/solution-detail.html?aparNo=SS16178&os=ANY

    SSO Access Gateway r12.8 SP05
    https://support.broadcom.com/download-center/solution-detail.html?aparNo=SS16179&os=ANY

  https://techdocs.broadcom.com/us/product-content/recommended-reading/technical-document-index/ca-single-sign-on-hotfix-cumulative-release-index.html