ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Critical apache vulnerability and apache upgrade on CA access gateway

book

Article ID: 225981

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

There are critical vulnerabilities in Apache 2.4.48 or 2.4.49, used by current 12.8 CA access gateway. 

This is the reference link.

https://nvd.nist.gov/vuln/detail/CVE-2021-40438  

Apache vulnerability https://httpd.apache.org/security/vulnerabilities_24.html

How do we upgrade apache component on CA access gateway?

Cause

There are other vulnerabilities related to these versions.

CVE-2021-41524
-> Severity: moderate
-> Description: null pointer dereference in h2 fuzzing
-> Affected: Apache 2.4.49
-> Resolved: Apache 2.4.50

CVE-2021-41773
-> Severity: important 
-> Description: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49
-> Affected: Apache 2.4.49
-> Resolved: Apache 2.4.50

Apache web site mentioned that "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient."
So customer needs to upgrade to Apache HTTP Server 2.4.51 for a complete solution.
 
The following reported vulnerability does not impact SiteMinder Access Gateway, and no further update is required once Apache HTTP Server is upgraded to 2.4.51.
 
CVE-2021-44224
-> Description: A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). 
 
Broadcom response: Access Gateway does not act as Forward proxy, also it will not act as traditional reverse proxy.  OOTB Access Gateway will never use directives like ProxyRequests on or ProxyPass in its httpd configuration to act as ForwardProxy or ReverseProxy.
The CVE is talking about when Apache is configured as Forward Proxy or mixing configuration like Forward and Reverse Proxy then it may vulnerable. OOTB Access Gateway doesn't use such configurations hence CVE-2021-44224 is not applicable to OOTB Access Gateway.
 
CVE-2021-44790
-> Description: A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. 

Broadcom response: OOTB Access Gateway shipped does not use lua scripts and also the module (mod_lua.so) required to execute lua scripts is not being shipped by OOTB Access Gateway. Hence the CVE-2021-44790 is not applicable to OOTB Access Gateway.
 
If security team mandatorily requires apache to be updated to version 2.4.52, then please follow a different tech note articleId=231301.
https://knowledge.broadcom.com/external/article?articleId=231301
 
 

Environment

Release : 12.8.05

Component : SITEMINDER SECURE PROXY SERVER

Resolution

12.8sp6 access gateway out of box still has apache 2.4.48.  12.8sp6 uses different version Visual studio compiler, so its windows fix will not be the same as other version.

Customer can manually upgrade to apache 2.4.51 on Access gateway.

Steps and binary are provided here:

=======================================================

12.8.05 and previous versions are compiled with Visual studio 2013

12.8.06  Release has compiler version Visual studio 2019 

=======================================================

Naming convention and porting table

httpd_2451_win64_12806.zip This files can port to only 12.8.06
httpd2451_win64_12805.zip Can port to 12.8.05 and Previous versions 

---------------------------------------------------

                        Windows

---------------------------------------------------

Stop the running Access gateway.

1. Navigate to sps installed folder C:\program files\CA\secure-proxy\
2. take the back up of original folder httpd to httpd_orig
3. Unzip the attachment file and copy the httpd folder to C:\program files\CA\secure-proxy\
4. copy below files from original  httpd_orig  to  httpd
cp -r httpd_orig/conf  httpd/
start Access Gateway.

 

Follow these steps to upgrade to new apache version 2.4.51 on Linux platform.

---------------------------------------------------
                        Linux
---------------------------------------------------

Stop the running Access gateway.

1. Navigate to sps installed folder /opt/CA/secure-proxy/
2. take the back up of original folder httpd to httpd_orig
3. Unzip the attachment file and copy the httpd folder to /opt/CA/secure-proxy/
4. copy below files from original  httpd_orig  to  httpd

cp -r httpd_orig/conf  httpd/
cp httpd_orig/bin/apachectl httpd/bin/
cp httpd_orig/bin/apr-1-config  httpd/bin/
cp httpd_orig/bin/apu-1-config httpd/bin/
cp httpd_orig/bin/apxs httpd/bin/
cp httpd_orig/bin/envvars httpd/bin/
cp httpd_orig/bin/envvars-std  httpd/bin/

Start the Access Gateway.

Additional Information

https://httpd.apache.org/security/vulnerabilities_24.html
DE516877
DE524151

Attachments

httpd2451_linux64bit_1634073970493.zip get_app
httpd2451_win64_12805_1634073949692.zip get_app
httpd_2451_win64_12806_1634073927183.zip get_app