Security notice impacts.

book

Article ID: 209249

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) Activator

Issue/Introduction

 

When running Policy Server and AdminUI, some asked if these Siteminder
components are concerned by the

  "CA20131024-01: Security Notice for CA SiteMinder" 

like 

  AdminUI: 

   12.52SP01CR02
   12.8SP03CR00

  Policy server:

   12.52SP01CR00
   12.52SP01CR01
   12.8SP03CR00

 

Resolution

 

At first glance, on date of Feb 25th 2021, AdminUI and Policy Server
12.52SP01 should be upraded to 12.8 series, as they're out of support
since February 28, 2019 (1).

About the "CA20131024-01: Security Notice for CA SiteMinder", it seems
a quite old notice, which affect only Web Agents (2). as the reported
vulnerability concerns only Web Agent (3) too.

So said, the AdminUI and Policy Server 12.8 aren't concerned by that
notice. When running Web Agent 12.52SP1, then this notice doesn't concern
this Web Agent version neither.

The list of affected Web Agents is the following one as per the security
advise, so versions 6, 12.0, 12.5. and 12.51 only. Again, if you run Web
Agents 12.52SP1, then they aren't concerned by the problem (4).

 

 

Additional Information

 

(1)

     CA Single Sign-On r12.52 End of Service Announcement
     https://techdocs.broadcom.com/us/product-content/status/announcement-documents/2017/ca-single-sign-on-r12-52-end-of-service-announcement.html?r=2
(2)

     CA20131024-01: Security Notice for CA SiteMinder

      CA Technologies Support is alerting customers to a potential
      vulnerability in CA SiteMinder that can be mitigated by utilizing
      existing product functionality. The vulnerability, CVE-2013-5968,
      can potentially allow a remote attacker to conduct a reflected
      cross-site scripting attack and execute script in the security
      context of the SiteMinder domain. Customers should review their
      SiteMinder deployments to verify that the vulnerability mitigating
      functionality is enabled.

     https://support.broadcom.com/external/content/security-advisories/CA20131024-01-Security-Notice-for-CA-SiteMinder/1828

(3)


    CVE-2013-5968

     Cross-site scripting (XSS) vulnerability in CA SiteMinder 12.0
     through 12.51, and SiteMinder 6 Web Agents, allows remote attackers
     to inject arbitrary web script or HTML via vectors involving a "
     (double quote) character.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5968

(4) 


    CA20131024-01: Security Notice for CA SiteMinder

     CA SiteMinder 12.51
     CA SiteMinder 12.5
     CA SiteMinder 12.0
     CA SiteMinder 6 Web Agents

    https://support.broadcom.com/external/content/security-advisories/CA20131024-01-Security-Notice-for-CA-SiteMinder/1828