OpenSSL 1.0.2.y (and older) Vulnerability on Access Gateway

book

Article ID: 211470

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Siteminder Access Gateway includes OpenSSL 1.0.2 with the installation.  The following is a list of OpenSSL versions by Siteminder Access Gateway version:

r12.8.1: OpenSSL 1.0.2q

r12.8.1: OpenSSL 1.0.2q

r12.8.2: OpenSSL 1.0.2q

r12.8.3: OpenSSL 1.0.2r

r12.8.4: OpenSSL 1.0.2u

r12.8.5: OpenSSL 1.0.2x

 

Each of these versions of OpenSSL has published vulnerabilities with published version to remediate those vulnerabilities.

https://www.openssl.org/news/vulnerabilities-1.0.2.html

 

Environment

Release : 12.8.x

Component : SITEMINDER Access Gateway Server.

Resolution

Review Release notes to verify if there has been a GA release which fixes this issue in r12.8.6 or higher versions.

Siteminder r12.8.x Release Notes (Defects Fixed in Service Packs):

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/service-packs.html

OpenSSL 1.0.2za was release in Broadcom defect DE513332

Attached to this KB is OpenSSL 1.0.2za for Access Gateway on Linux and Windows.  This is a standalone upgrade of OpenSSL that is supported on any supported version of Siteminder Access Gateway.  While the OpenSSL upgrade package is specific to Windows or Unix OS, it is applicable to all versions of either Windows or Linux.  

 

Additional Information

Follow these steps to upgrade OpenSSL on Access Gateway to 1.0.2za

---------------------------------------------------
   OpenSSL 1.0.2za  Linux Installation Instructions
---------------------------------------------------

 

1) Copy "1.0.2za_linux64bit.zip" to the Access Gateway Server

2) Unzip "1.0.2za_linux64bit.zip"

Unzip 1.0.2za_linux64bit.zip

3) Stop the Access Gateway Server.

4) Navigate to the '<InstallDir>/CA/secure-proxy' directory.

5) Note the permissions on the '<InstallDir>/CA/secure-proxy/SSL/' directory.

6) Backup the '<InstallDir>/CA/secure-proxy/SSL/' directory.

7) Copy '/1.0.2za_linux64bit/Release/bin/openssl' to the '/<Intall_Dir>/CA/secure-proxy/SSL/bin/'
/bin drectory.

cp -r /1.0.2za_linux64bit/Release/bin/openssl /<InstallDir>/CA/secure-proxy/SSL/bin/openssl

8) Copy the library files from '/1.0.2za_linux64bit/Release/lib/' to the '/<Intall_Dir>/CA/secure-proxy/SSL/lib/' directory.

cp -r /Release_openssl102za_linux64/Release/lib/lib* ./<InstallDir>/CA/secure-proxy/SSL/lib/

9) Re-set the permissions on the copied files.

10) Re-source the environment variables;

. ./ca_sps_env.sh

11) Re-start the Access Gateway.

./proxy-engine/sps-ctl start

---------------------------------------------------
   OpenSSL 1.0.2za Windows Installation Instructions
---------------------------------------------------

1) Stop the Access Gateway server

2) Browse to the "<Install_Dir>\CA\secure-proxy\SSL\bin\" directory in Access Gateway

Default: C:\Program Files\CA\secure-proxy\SSL\

3) Back-up the following files:

<Install_Dir>\CA\secure-proxy\SSL\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\SSL\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\SSL\bin\ssleay32.dll

4) Replace with the files from "openssl_102za_win64bit.zip"

5) Browse to the "<Install_Dir>\CA\secure-proxy\HTTPD\bin\" directory in Access Gateway

Default: C:\Program Files\CA\secure-proxy\HTTPD\

6) Back-up the following files:

<Install_Dir>\CA\secure-proxy\HTTPD\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\HTTPD\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\HTTPD\bin\ssleay32.dll

7) Replace with the files from "openssl_102za_win64bit.zip"

8) Start the Access Gateway server

Attachments

1631884391098__openssl_102za_win64bit.zip get_app
1631884328181__openssl102za_linux64bit.zip get_app