Security notice impacts.


Article ID: 209249


Updated On:


CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) Activator



When running Policy Server and AdminUI, some asked if these Siteminder
components are concerned by the

  "CA20131024-01: Security Notice for CA SiteMinder" 




  Policy server:





At first glance, on date of Feb 25th 2021, AdminUI and Policy Server
12.52SP01 should be upraded to 12.8 series, as they're out of support
since February 28, 2019 (1).

About the "CA20131024-01: Security Notice for CA SiteMinder", it seems
a quite old notice, which affect only Web Agents (2). as the reported
vulnerability concerns only Web Agent (3) too.

So said, the AdminUI and Policy Server 12.8 aren't concerned by that
notice. When running Web Agent 12.52SP1, then this notice doesn't concern
this Web Agent version neither.

The list of affected Web Agents is the following one as per the security
advise, so versions 6, 12.0, 12.5. and 12.51 only. Again, if you run Web
Agents 12.52SP1, then they aren't concerned by the problem (4).



Additional Information



     CA Single Sign-On r12.52 End of Service Announcement

     CA20131024-01: Security Notice for CA SiteMinder

      CA Technologies Support is alerting customers to a potential
      vulnerability in CA SiteMinder that can be mitigated by utilizing
      existing product functionality. The vulnerability, CVE-2013-5968,
      can potentially allow a remote attacker to conduct a reflected
      cross-site scripting attack and execute script in the security
      context of the SiteMinder domain. Customers should review their
      SiteMinder deployments to verify that the vulnerability mitigating
      functionality is enabled.



     Cross-site scripting (XSS) vulnerability in CA SiteMinder 12.0
     through 12.51, and SiteMinder 6 Web Agents, allows remote attackers
     to inject arbitrary web script or HTML via vectors involving a "
     (double quote) character.


    CA20131024-01: Security Notice for CA SiteMinder

     CA SiteMinder 12.51
     CA SiteMinder 12.5
     CA SiteMinder 12.0
     CA SiteMinder 6 Web Agents