Multiple CVE Vulnerabilities in SiteMinder devices
Article ID: 226340
Updated On:
Products
SITEMINDER
CA Single Sign On Secure Proxy Server (SiteMinder)
Issue/Introduction
When running Siteminder CA Access Gateway (SPS), AdminUI and Policy
Server, what are the fix for each of the following CVE :
CVE-2020-1938
CVE-2014-3566
CVE-2015-4000
CVE-2016-2183
CVE-2020-1745
CVE-2017-5715
CVE-2017-5753
CVE-2017-5754
CVE-2018-3615
CVE-2018-3620
CVE-2018-3639
CVE-2018-3646
CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
CVE-2019-11135
CVE-2021-2341
CVE-2021-2369
CVE-2021-2388
CVE-2021-2432
CVE-2018-10115
CVE-2020-12597
CVE-2021-4160
Cause
Related to embedded Tomcat in CA Access Gateway (SPS), which needs to
be upgraded to 12.8SP6 to fix it.
CVE-2020-1938 (1)
> Solution :
Upgrade CA Access Gateway (SPS) to 12.8SP6 (2).
Related to SSL and TLS.
CVE-2014-3566 (3)
> Solution :
Upgrade Policy Server, AdminUI and CA Access Gateway (SPS) to 12.8
(4).
Related to SSL and TLS.
CVE-2015-4000 (5)
> Solution :
Upgrade Policy Server, AdminUI and CA Access Gateway (SPS) to 12.8
(6).
Related to SSL and TLS.
CVE-2016-2183 (7)
> Solution :
Upgrade Siteminder components to 12.8, and insure that JVM is 1.8
at least.
Related to AJP.
CVE-2020-1745 (8)
> Solution :
Related to Undertow (9).
Siteminder doesn't use Undertow as per third-party documentation
(10)(11).
Related to hardware and OS and outside Siteminder.
CVE-2017-5715 (12)
CVE-2017-5753 (13)
CVE-2017-5754 (14)
CVE-2018-3615 (15)
CVE-2018-3620 (16)
CVE-2018-3639 (17)
CVE-2018-3646 (18)
CVE-2018-12126 (19)
CVE-2018-12127 (20)
CVE-2018-12130 (21)
CVE-2019-11135 (22)
Related to JVM Oracle GraalVM Enterprise Edition.
CVE-2021-2341 (23)
CVE-2021-2369 (24)
CVE-2021-2388 (25)
> Solution :
Siteminder isn't affected. Siteminder doesn't use Oracle GraalVM
Enterprise Edition.
Related to JVM Oracle Java SE.
CVE-2021-2432 (26)
> Solution :
Siteminder 12.8 support only 1.8 and higher depending the SP
version in use as per our Support Matrix (27).
Related to other software outside Siteminder.
CVE-2018-10115 (28)
Related to Symantec Endpoint Protection which is outside Siteminder.
CVE-2020-12597 (29)
> Solution (30).
Resolution
At first glance, when running Siteminder 12.8 none of the
vulnerability is present, except for the CVE-2020-1938 for which an
upgrade to 12.8SP6 is needed.
To fix the CVE-2020-1938, upgrade Siteminder to 12.8SP6
by following documentation (31).
For all other Siteminder related :
CVE-2014-3566 (3)
CVE-2015-4000 (5)
CVE-2016-2183 (7)
CVE-2020-1745 (8)
These are already fixed in Siteminder 12.8SPx which is the only
version supported on date of October the 18th 2021. If Policy Server,
AdminUI and CA Access Gateway (SPS) version are lower than 12.8, then
upgrade all of these component to 12.8 as per the Upgrade section
given above.
About CVE-2020-12597 (29), please open a Support ticket for product
"Symantec Endpoint Protection" if you need further precision.
For all the other CVE, please consult you system administrator when
concerning the microprocessor and the related JVM vendors.
Additional Information
(1)
CVE-2020-1938
When using the Apache JServ Protocol (AJP), care must be taken
when trusting incoming connections to Apache Tomcat. Tomcat
treats AJP connections as having higher trust than, for example,
a similar HTTP connection. If such connections are available to
an attacker, they can be exploited in ways that may be
surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to
8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector
enabled by default that listened on all configured IP
addresses. It was expected (and recommended in the security
guide) that this Connector would be disabled if not
required. This vulnerability report identified a mechanism that
allowed: - returning arbitrary files from anywhere in the web
application - processing any file in the web application as a
JSP Further, if the web application allowed file upload and
stored those files within the web application (or the attacker
was able to control the content of the web application by some
other means) then this, along with the ability to process a file
as a JSP, made remote code execution possible. It is important
to note that mitigation is only required if an AJP port is
accessible to untrusted users. Users wishing to take a
defence-in-depth approach and block the vector that permits
returning arbitrary files and execution as JSP may upgrade to
Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of
changes were made to the default AJP Connector configuration in
9.0.31 to harden the default configuration. It is likely that
users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need
to make small changes to their configurations.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938
(2)
[IMS-SiteMinder : 12.8.06]
Apache Tomcat 9.0.52 : Apache License 2.0
https://techdocs.broadcom.com/content/dam/broadcom/techdocs/us/en/dita/symantec-security-software/identity-security--siteminder/siteminder/casso-consolidated/content/Thirdpartysoftwarerequirements-12-8-06.txt
(3)
CVE-2014-3566
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and
other products, uses nondeterministic CBC padding, which makes
it easier for man-in-the-middle attackers to obtain cleartext
data via a padding-oracle attack, aka the "POODLE" issue.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3566#:~:text=The%20SSL%20protocol%203.0%2C%20as,aka%20the%20%22POODLE%22%20issue.
(4)
Policy server secure ldap connection failure
Starting r12.52 SP2 CA SSO Policy Server, the support for SSLv3
protocol for secure connection to LDAP store is disabled by
default.
This change was done to mitigate the SSLv3 Poodle Vulnerability :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3566
https://knowledge.broadcom.com/external/article?articleId=5159
(5)
CVE-2015-4000
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite
is enabled on a server but not on a client, does not properly
convey a DHE_EXPORT choice, which allows man-in-the-middle
attackers to conduct cipher-downgrade attacks by rewriting a
ClientHello with DHE replaced by DHE_EXPORT and then rewriting a
ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam"
issue.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
(6)
Vulnerability : AdminUI SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)
Against the AdminUI 12.8SP5, when running the following command
which doesn't report that "Diffie-Hellman Modulus <= 1024 Bits":
https://knowledge.broadcom.com/external/article?articleId=218751
(7)
CVE-2016-2183
The DES and Triple DES ciphers, as used in the TLS, SSH, and
IPSec protocols and other protocols and products, have a
birthday bound of approximately four billion blocks, which makes
it easier for remote attackers to obtain cleartext data via a
birthday attack against a long-duration encrypted session, as
demonstrated by an HTTPS session using Triple DES in CBC mode,
aka a "Sweet32" attack.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183
(8)
CVE-2020-1745
A file inclusion vulnerability was found in the AJP connector
enabled with a default AJP configuration port of 8009 in
Undertow version 2.0.29.Final and before and was fixed in
2.0.30.Final. A remote, unauthenticated attacker could exploit
this vulnerability to read web application files from a
vulnerable server. In instances where the vulnerable server
allows file uploads, an attacker could upload malicious
JavaServer Pages (JSP) code within a variety of file types and
trigger this vulnerability to gain remote code execution.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1745
(9)
Undertow
Undertow is a flexible performant web server written in java,
providing both blocking and non-blocking API’s based on NIO.
https://undertow.io/
(10)
Release 12.8 through Release 12.8.05
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/third-party-software-acknowledgments.html
(11)
[IMS-SiteMinder : 12.8.06]
https://techdocs.broadcom.com/content/dam/broadcom/techdocs/us/en/dita/symantec-security-software/identity-security--siteminder/siteminder/casso-consolidated/content/Thirdpartysoftwarerequirements-12-8-06.txt
(12)
CVE-2017-5715
Systems with microprocessors utilizing speculative execution and
indirect branch prediction may allow unauthorized disclosure of
information to an attacker with local user access via a
side-channel analysis.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
(13)
CVE-2017-5753
Systems with microprocessors utilizing speculative execution and
branch prediction may allow unauthorized disclosure of
information to an attacker with local user access via a
side-channel analysis.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
(14)
CVE-2017-5754
Systems with microprocessors utilizing speculative execution and
indirect branch prediction may allow unauthorized disclosure of
information to an attacker with local user access via a
side-channel analysis of the data cache.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
(15)
CVE-2018-3615
Systems with microprocessors utilizing speculative execution and
Intel software guard extensions (Intel SGX) may allow
unauthorized disclosure of information residing in the L1 data
cache from an enclave to an attacker with local user access via
a side-channel analysis.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3615
(16)
CVE-2018-3620
Systems with microprocessors utilizing speculative
execution and address translations may allow unauthorized disclosure
of information residing in the L1 data cache to an attacker with local
user access via a terminal page fault and a side-channel analysis.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3620
(17)
CVE-2018-3639
Systems with microprocessors utilizing speculative execution and
speculative execution of memory reads before the addresses of
all prior memory writes are known may allow unauthorized
disclosure of information to an attacker with local user access
via a side-channel analysis, aka Speculative Store Bypass (SSB),
Variant 4.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639
(18)
CVE-2018-3646
Systems with microprocessors utilizing speculative execution and
address translations may allow unauthorized disclosure of
information residing in the L1 data cache to an attacker with
local user access with guest OS privilege via a terminal page
fault and a side-channel analysis.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646
(19)
CVE-2018-12126
Microarchitectural Store Buffer Data Sampling (MSBDS): Store
buffers on some microprocessors utilizing speculative execution
may allow an authenticated user to potentially enable
information disclosure via a side channel with local access. A
list of impacted products can be found here:
https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126
(20)
CVE-2018-12127
Microarchitectural Load Port Data Sampling (MLPDS): Load ports
on some microprocessors utilizing speculative execution may
allow an authenticated user to potentially enable information
disclosure via a side channel with local access. A list of
impacted products can be found here:
https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127
(21)
CVE-2018-12130
Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill
buffers on some microprocessors utilizing speculative execution
1may allow an authenticated user to potentially enable
information disclosure via a side channel with local access. A
list of impacted products can be found here:
https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130
(22)
CVE-2019-11135
TSX Asynchronous Abort condition on some CPUs utilizing
speculative execution may allow an authenticated user to potentially
enable information disclosure via a side channel with local access.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135
(23)
CVE-2021-2341
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition
product of Oracle Java SE (component: Networking). Supported
versions that are affected are Java SE: 7u301, 8u291, 11.0.11,
16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and
21.1.0. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via multiple
protocols to compromise Java SE, Oracle GraalVM Enterprise
Edition. Successful attacks require human interaction from a
person other than the attacker. Successful attacks of this
vulnerability can result in unauthorized read access to a subset
of Java SE, Oracle GraalVM Enterprise Edition accessible
data. Note: This vulnerability applies to Java deployments,
typically in clients running sandboxed Java Web Start
applications or sandboxed Java applets, that load and run
untrusted code (e.g., code that comes from the internet) and
rely on the Java sandbox for security. This vulnerability does
not apply to Java deployments, typically in servers, that load
and run only trusted code (e.g., code installed by an
administrator). CVSS 3.1 Base Score 3.1 (Confidentiality
impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2341
(24)
CVE-2021-2369
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition
product of Oracle Java SE (component: Library). Supported
versions that are affected are Java SE: 7u301, 8u291, 11.0.11,
16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and
21.1.0. Easily exploitable vulnerability allows unauthenticated
attacker with network access via multiple protocols to
compromise Java SE, Oracle GraalVM Enterprise
Edition. Successful attacks require human interaction from a
person other than the attacker. Successful attacks of this
vulnerability can result in unauthorized update, insert or
delete access to some of Java SE, Oracle GraalVM Enterprise
Edition accessible data. Note: This vulnerability applies to
Java deployments, typically in clients running sandboxed Java
Web Start applications or sandboxed Java applets, that load and
run untrusted code (e.g., code that comes from the internet) and
rely on the Java sandbox for security. This vulnerability does
not apply to Java deployments, typically in servers, that load
and run only trusted code (e.g., code installed by an
administrator). CVSS 3.1 Base Score 4.3 (Integrity
impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2369
(25)
CVE-2021-2388
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition
product of Oracle Java SE (component: Hotspot). Supported
versions that are affected are Java SE: 8u291, 11.0.11, 16.0.1;
Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Difficult
to exploit vulnerability allows unauthenticated attacker with
network access via multiple protocols to compromise Java SE,
Oracle GraalVM Enterprise Edition. Successful attacks require
human interaction from a person other than the
attacker. Successful attacks of this vulnerability can result in
takeover of Java SE, Oracle GraalVM Enterprise Edition. Note:
This vulnerability applies to Java deployments, typically in
clients running sandboxed Java Web Start applications or
sandboxed Java applets, that load and run untrusted code (e.g.,
code that comes from the internet) and rely on the Java sandbox
for security. This vulnerability does not apply to Java
deployments, typically in servers, that load and run only
trusted code (e.g., code installed by an administrator). CVSS
3.1 Base Score 7.5 (Confidentiality, Integrity and Availability
impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2388
(26)
CVE-2021-2432
Vulnerability in the Java SE product of Oracle Java SE
(component: JNDI). The supported version that is affected is
Java SE: 7u301. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via multiple
protocols to compromise Java SE. Successful attacks of this
vulnerability can result in unauthorized ability to cause a
partial denial of service (partial DOS) of Java SE. Note: This
vulnerability applies to Java deployments, typically in clients
running sandboxed Java Web Start applications or sandboxed Java
applets, that load and run untrusted code (e.g., code that comes
from the internet) and rely on the Java sandbox for
security. This vulnerability can also be exploited by using APIs
in the specified Component, e.g., through a web service which
supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability
impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2432
(27)
2.4 Java Virtual Machine (JVM)
The following table lists the Java Virtual Machine (JVM) support
requirements for release 12.8.06:
| SiteMinder Component | Java Runtime Environment |
|--------------------------+---------------------------------------------------|
| Policy Server | AdoptOpenJDK 11 (or later updates on 11.x) 64 bit |
| Policy Server SDK 64 bit | AdoptOpenJDK 11 (or later updates on 11.x) 64 bit |
| Access Gateway | AdoptOpenJDK 11 (or later updates on 11.x) 64 bit |
| | |
The following table lists the Java Virtual Machine (JVM) support
requirements for release 12.8.03
| SiteMinder Component | Java Runtime Environment |
|--------------------------+---------------------------------------------------------|
| Policy Server | AdoptOpenJDK 1.8.212 (or later updates on 1.8.x) 64 bit |
| Policy Server SDK 64 bit | AdoptOpenJDK 1.8.212 (or later updates on 1.8.x) 64 bit |
| Access Gateway | AdoptOpenJDK 1.8.212 (or later updates on 1.8.x) 64 bit |
The following table lists the Java Virtual Machine (JVM) support
requirements for 12.8.02 lower numbered versions:
| SiteMinder Component | Java Runtime Environment |
|--------------------------+---------------------------------------------------|
| Policy Server | Oracle JDK 1.8 (or later updates on 1.8.x) 64 bit |
| Policy Server SDK 64 bit | Oracle JDK 1.8 (or later updates on 1.8.x) 64 bit |
| Access Gateway | Oracle JDK 1.8 (or later updates on 1.8.x) 64 bit |
https://ftpdocs.broadcom.com/cadocs/0/contentimages/Symantec%20SiteMinder_12_8_Platform%20Support%20Matrix_1Oct2021.pdf
(28)
CVE-2018-10115
Incorrect initialization logic of RAR decoder objects in 7-Zip
18.03 and before can lead to usage of uninitialized memory,
allowing remote attackers to cause a denial of service
(segmentation fault) or execute arbitrary code via a crafted RAR
archive.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10115
(29)
CVE-2020-12597
** RESERVED ** This candidate has been reserved by an
organization or individual that will use it when announcing a
new security problem. When the candidate has been publicized,
the details for this candidate will be provided.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12597
(30)
CVE-2020-12597: Uncaught Exception vulnerability
Install the latest build of one of the affected products. New
versions contain a fix to this defect.
https://knowledge.broadcom.com/external/article/217923/cve202012597-uncaught-exception-vulnerab.html
(31)
Upgrading
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/upgrading.html
(32)
vulnerability: CVE-2021-4160: OpenSSL 1.0.2 < 1.0.2zc-dev Vulnerability (Access Gateway Vulnerability)
https://ca-broadcomcsm.wolkenservicedesk.com/wolken/esd/knowledgebase_list?articleId=235202
Feedback
Yes
No
Powered by
