Security Scans show OpenSSL 1.0.2x instead of latest - 1.02y

book

Article ID: 211695

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

OpenSSL on Access Gateway has been identified as having vulnerabilities.

CVE-2021-23841: OpenSSL public API function X509_issuer_and_serial_hash()
-> Severity: Moderate
-> Published: 02/16/2021
-> Affected: 1.0.2-1.0.2x
-> Remediation: Fixed in OpenSSL 1.0.2y


CVE-2021-23840: EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may Overflow
-> Severity: Moderate
-> Published: 02/16/2021
-> Affected: 1.0.2-1.0.2x
-> Remediation: Fixed in OpenSSL 1.0.2y


CVE-2021-23839: SSLv2 Padding
-> Severity: Moderate
-> Published: 02/16/2021
-> Affected: 1.0.2s-1.0.2x
-> Remediation: Fixed in OpenSSL 1.0.2y

Cause

Access Gateway r12.8.5: Open SSL 1.0.2x

Access Gateway r12.8.4: Open SSL 1.0.2u

Access Gateway r12.8.3: Open SSL 1.0.2r

Access Gateway r12.8.2: Open SSL 1.0.2q

Access Gateway r12.8.1: Open SSL 1.0.2i

 

Access Gateway r12.7.2: OpenSSL 1.0.2i

Access Gateway r12.7.1: OpenSSL 1.0.2i

Environment

Release : 12.7.x; r12.8.x

Component : Siteminder Access Gateway

Resolution

OpenSSL 1.0.2y for Access Gateway is available for download from DE495336. 

 This package is supported on any version of Access Gateway.  The package for Windows applies to all Windows Server versions.  The package for Linux applies to all Linux versions.

---------------------------------------------------
Linux Installation Instructions
---------------------------------------------------

please Follow the steps to change the openssl version to 1.0.2y

1) Copy "1.0.2y_linux64bit.zip" to the Access Gateway Server
2) Unzip "1.0.2y_linux64bit.zip"

Unzip 1.0.2y_linux64bit.zip

3) Stop the Access Gateway Server.
4) Navigate to the '<InstallDir>/CA/secure-proxy' directory.
5) Note the permissions on the '<InstallDir>/CA/secure-proxy/SSL/' directory.
6) Backup the '<InstallDir>/CA/secure-proxy/SSL/' directory.
7) Copy '/1.0.2y_linux64bit/Release/bin/openssl' to the '/<Intall_Dir>/CA/secure-proxy/SSL/bin/'
/bin drectory.

cp ./1.0.2y_linux64bit/Release/bin/openssl ./<InstallDir>/CA/secure-proxy/SSL/bin/openssl

8) Copy the .so and .a files from '/1.0.2y_linux64bit/Release/lib/' to the '/<Intall_Dir>/CA/secure-proxy/SSL/lib/' directory.

cp ./Release_openssl102x_linux64/Release/lib/*.so ./<InstallDir>/CA/secure-proxy/SSL/lib/

cp ./Release_openssl102x_linux64/Release/lib/*.a ./<InstallDir>/CA/secure-proxy/SSL/lib/

9) Re-set the permissions on the copied files.
10) Re-source the environment variables;

. ./ca_sps_env.sh

11) Re-start the Access Gateway.

./proxy-engine/sps-ctl start

---------------------------------------------------
            Windows Installation Instructions
---------------------------------------------------

1) Stop the Access Gateway server
2) Browse to the "<Install_Dir>\CA\secure-proxy\SSL\bin\" directory in Access Gateway [Default: C:\Program Files\CA\secure-proxy\SSL\]
3) Back-up the following files:

<Install_Dir>\CA\secure-proxy\SSL\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\SSL\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\SSL\bin\ssleay32.dll

4) Replace with the files from "openssl102y_win64.zip"
5) Browse to the "<Install_Dir>\CA\secure-proxy\HTTPD\bin\" directory in Access Gateway [Default: C:\Program Files\CA\secure-proxy\HTTPD\]
6) Back-up the following files:

<Install_Dir>\CA\secure-proxy\HTTPD\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\HTTPD\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\HTTPD\bin\ssleay32.dll

7) Replace with the files from "openssl102y_win64.zip"
8) Start the Access Gateway server

Additional Information

Contact Siteminder Technical Support