When running Policy Server and AdminUI, some asked if these Siteminder
components are concerned by the
"CA20131024-01: Security Notice for CA SiteMinder"
like
AdminUI:
12.52SP01CR02
12.8SP03CR00
Policy server:
12.52SP01CR00
12.52SP01CR01
12.8SP03CR00
At first glance, on date of Feb 25th 2021, AdminUI and Policy Server
12.52SP01 should be upraded to 12.8 series, as they're out of support
since February 28, 2019 (1).
About the "CA20131024-01: Security Notice for CA SiteMinder", it seems
a quite old notice, which affect only Web Agents (2). as the reported
vulnerability concerns only Web Agent (3) too.
So said, the AdminUI and Policy Server 12.8 aren't concerned by that
notice. When running Web Agent 12.52SP1, then this notice doesn't concern
this Web Agent version neither.
The list of affected Web Agents is the following one as per the security
advise, so versions 6, 12.0, 12.5. and 12.51 only. Again, if you run Web
Agents 12.52SP1, then they aren't concerned by the problem (4).
(1)
CA Single Sign-On r12.52 End of Service Announcement
https://techdocs.broadcom.com/us/product-content/status/announcement-documents/2017/ca-single-sign-on-r12-52-end-of-service-announcement.html?r=2
(2)
CA20131024-01: Security Notice for CA SiteMinder
CA Technologies Support is alerting customers to a potential
vulnerability in CA SiteMinder that can be mitigated by utilizing
existing product functionality. The vulnerability, CVE-2013-5968,
can potentially allow a remote attacker to conduct a reflected
cross-site scripting attack and execute script in the security
context of the SiteMinder domain. Customers should review their
SiteMinder deployments to verify that the vulnerability mitigating
functionality is enabled.
https://support.broadcom.com/external/content/security-advisories/CA20131024-01-Security-Notice-for-CA-SiteMinder/1828
(3)
CVE-2013-5968
Cross-site scripting (XSS) vulnerability in CA SiteMinder 12.0
through 12.51, and SiteMinder 6 Web Agents, allows remote attackers
to inject arbitrary web script or HTML via vectors involving a "
(double quote) character.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5968
(4)
CA20131024-01: Security Notice for CA SiteMinder
CA SiteMinder 12.51
CA SiteMinder 12.5
CA SiteMinder 12.0
CA SiteMinder 6 Web Agents
https://support.broadcom.com/external/content/security-advisories/CA20131024-01-Security-Notice-for-CA-SiteMinder/1828