ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Multiple CVE Vulnerabilities in SiteMinder devices

book

Article ID: 226340

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

 

When running Siteminder CA Access Gateway (SPS), AdminUI and Policy
Server, what are the fix for each of the following CVE :

  CVE-2020-1938
  CVE-2014-3566
  CVE-2015-4000
  CVE-2016-2183
  CVE-2020-1745
  CVE-2017-5715
  CVE-2017-5753
  CVE-2017-5754
  CVE-2018-3615
  CVE-2018-3620
  CVE-2018-3639
  CVE-2018-3646
  CVE-2018-12126
  CVE-2018-12127
  CVE-2018-12130
  CVE-2019-11135
  CVE-2021-2341
  CVE-2021-2369
  CVE-2021-2388
  CVE-2021-2432
  CVE-2018-10115
  CVE-2020-12597

 

Cause

 

Related to embedded Tomcat in CA Access Gateway (SPS), which needs to
be upgraded to 12.8SP6 to fix it.

  CVE-2020-1938 (1)

> Solution :

    Upgrade AdminUI and CA Access Gateway (SPS) to 12.8SP6 (2).
    


Related to SSL and TLS.

  CVE-2014-3566 (3)

> Solution :

   Upgrade Policy Server, AdminUI and CA Access Gateway (SPS) to 12.8
   (4).

Related to SSL and TLS.

   CVE-2015-4000 (5) 
   


> Solution :

   Upgrade Policy Server, AdminUI and CA Access Gateway (SPS) to 12.8
   (6).

Related to SSL and TLS.

   CVE-2016-2183 (7)
   


> Solution :

    Upgrade Siteminder components to 12.8, and insure that JVM is 1.8
    at least.


    
Related to AJP.

  CVE-2020-1745 (8)

> Solution :

    Related to Undertow (9).
   
    Siteminder doesn't use Undertow as per third-party documentation
    (10)(11).

Related to hardware and OS and outside Siteminder.

  CVE-2017-5715 (12)
  CVE-2017-5753 (13)
  CVE-2017-5754 (14)
  CVE-2018-3615 (15)
  CVE-2018-3620 (16)
  CVE-2018-3639 (17)
  CVE-2018-3646 (18)
  CVE-2018-12126 (19)
  CVE-2018-12127 (20)
  CVE-2018-12130 (21)
  CVE-2019-11135 (22)

Related to JVM Oracle GraalVM Enterprise Edition.

  CVE-2021-2341 (23)
  CVE-2021-2369 (24)
  CVE-2021-2388 (25)

> Solution :    

    
    Siteminder isn't affected. Siteminder doesn't use Oracle GraalVM
    Enterprise Edition.

Related to JVM Oracle Java SE.

  CVE-2021-2432 (26)

    
> Solution :

    
    Siteminder 12.8 support only 1.8 and higher depending the SP
    version in use as per our Support Matrix (27).

Related to other software outside Siteminder.

   CVE-2018-10115 (28)
   


Related to Symantec Endpoint Protection which is outside Siteminder.

   CVE-2020-12597 (29)

    
> Solution (30).

 

Resolution

 

At first glance, when running Siteminder 12.8 none of the
vulnerability is present, except for the CVE-2020-1938 for which an
upgrade to 12.8SP6 is needed.

To fix the CVE-2020-1938, upgrade Siteminder to 12.8SP6
by following documentation (31).

For all other Siteminder related :

  CVE-2014-3566 (3)
  CVE-2015-4000 (5)
  CVE-2016-2183 (7)
  CVE-2020-1745 (8)

These are already fixed in Siteminder 12.8SPx which is the only
version supported on date of October the 18th 2021. If Policy Server,
AdminUI and CA Access Gateway (SPS) version are lower than 12.8, then
upgrade all of these component to 12.8 as per the Upgrade section
given above.

About CVE-2020-12597 (29), please open a Support ticket for product
"Symantec Endpoint Protection" if you need further precision.

For all the other CVE, please consult you system administrator when
concerning the microprocessor and the related JVM vendors.

 

Additional Information

 

(1)

    CVE-2020-1938

      When using the Apache JServ Protocol (AJP), care must be taken
      when trusting incoming connections to Apache Tomcat. Tomcat
      treats AJP connections as having higher trust than, for example,
      a similar HTTP connection. If such connections are available to
      an attacker, they can be exploited in ways that may be
      surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to
      8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector
      enabled by default that listened on all configured IP
      addresses. It was expected (and recommended in the security
      guide) that this Connector would be disabled if not
      required. This vulnerability report identified a mechanism that
      allowed: - returning arbitrary files from anywhere in the web
      application - processing any file in the web application as a
      JSP Further, if the web application allowed file upload and
      stored those files within the web application (or the attacker
      was able to control the content of the web application by some
      other means) then this, along with the ability to process a file
      as a JSP, made remote code execution possible. It is important
      to note that mitigation is only required if an AJP port is
      accessible to untrusted users. Users wishing to take a
      defence-in-depth approach and block the vector that permits
      returning arbitrary files and execution as JSP may upgrade to
      Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of
      changes were made to the default AJP Connector configuration in
      9.0.31 to harden the default configuration. It is likely that
      users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need
      to make small changes to their configurations.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938

(2)

    [IMS-SiteMinder : 12.8.06]
    
      Apache Tomcat 9.0.52 : Apache License 2.0

    https://techdocs.broadcom.com/content/dam/broadcom/techdocs/us/en/dita/symantec-security-software/identity-security--siteminder/siteminder/casso-consolidated/content/Thirdpartysoftwarerequirements-12-8-06.txt

(3)

    CVE-2014-3566

      The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and
      other products, uses nondeterministic CBC padding, which makes
      it easier for man-in-the-middle attackers to obtain cleartext
      data via a padding-oracle attack, aka the "POODLE" issue.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3566#:~:text=The%20SSL%20protocol%203.0%2C%20as,aka%20the%20%22POODLE%22%20issue.

(4)

     Policy server secure ldap connection failure

       Starting r12.52 SP2 CA SSO Policy Server, the support for SSLv3
       protocol for secure connection to LDAP store is disabled by
       default.

       This change was done to mitigate the SSLv3 Poodle Vulnerability : 

       https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3566

     https://knowledge.broadcom.com/external/article?articleId=5159
(5)
     
    CVE-2015-4000

      The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite
      is enabled on a server but not on a client, does not properly
      convey a DHE_EXPORT choice, which allows man-in-the-middle
      attackers to conduct cipher-downgrade attacks by rewriting a
      ClientHello with DHE replaced by DHE_EXPORT and then rewriting a
      ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam"
      issue.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000


(6)

    Vulnerability : AdminUI SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

      Against the AdminUI 12.8SP5, when running the following command
      which doesn't report that "Diffie-Hellman Modulus <= 1024 Bits":

    https://knowledge.broadcom.com/external/article?articleId=218751

(7)

    CVE-2016-2183

      The DES and Triple DES ciphers, as used in the TLS, SSH, and
      IPSec protocols and other protocols and products, have a
      birthday bound of approximately four billion blocks, which makes
      it easier for remote attackers to obtain cleartext data via a
      birthday attack against a long-duration encrypted session, as
      demonstrated by an HTTPS session using Triple DES in CBC mode,
      aka a "Sweet32" attack.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183

(8)

    CVE-2020-1745

      A file inclusion vulnerability was found in the AJP connector
      enabled with a default AJP configuration port of 8009 in
      Undertow version 2.0.29.Final and before and was fixed in
      2.0.30.Final. A remote, unauthenticated attacker could exploit
      this vulnerability to read web application files from a
      vulnerable server. In instances where the vulnerable server
      allows file uploads, an attacker could upload malicious
      JavaServer Pages (JSP) code within a variety of file types and
      trigger this vulnerability to gain remote code execution.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1745

(9)

    Undertow

      Undertow is a flexible performant web server written in java,
      providing both blocking and non-blocking API’s based on NIO.
      
    https://undertow.io/

(10)

    Release 12.8 through Release 12.8.05
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/third-party-software-acknowledgments.html

(11)

      
    [IMS-SiteMinder : 12.8.06]
    https://techdocs.broadcom.com/content/dam/broadcom/techdocs/us/en/dita/symantec-security-software/identity-security--siteminder/siteminder/casso-consolidated/content/Thirdpartysoftwarerequirements-12-8-06.txt

(12)

    CVE-2017-5715

      Systems with microprocessors utilizing speculative execution and
      indirect branch prediction may allow unauthorized disclosure of
      information to an attacker with local user access via a
      side-channel analysis.
    
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715


(13)

    CVE-2017-5753

      Systems with microprocessors utilizing speculative execution and
      branch prediction may allow unauthorized disclosure of
      information to an attacker with local user access via a
      side-channel analysis.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753

(14)

    CVE-2017-5754

      Systems with microprocessors utilizing speculative execution and
      indirect branch prediction may allow unauthorized disclosure of
      information to an attacker with local user access via a
      side-channel analysis of the data cache.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

(15)

    CVE-2018-3615

      Systems with microprocessors utilizing speculative execution and
      Intel software guard extensions (Intel SGX) may allow
      unauthorized disclosure of information residing in the L1 data
      cache from an enclave to an attacker with local user access via
      a side-channel analysis.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3615

(16)

    CVE-2018-3620

      Systems with microprocessors utilizing speculative
      execution and address translations may allow unauthorized disclosure
      of information residing in the L1 data cache to an attacker with local
      user access via a terminal page fault and a side-channel analysis.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3620

(17)

    CVE-2018-3639

      Systems with microprocessors utilizing speculative execution and
      speculative execution of memory reads before the addresses of
      all prior memory writes are known may allow unauthorized
      disclosure of information to an attacker with local user access
      via a side-channel analysis, aka Speculative Store Bypass (SSB),
      Variant 4.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639

(18)

    CVE-2018-3646

      Systems with microprocessors utilizing speculative execution and
      address translations may allow unauthorized disclosure of
      information residing in the L1 data cache to an attacker with
      local user access with guest OS privilege via a terminal page
      fault and a side-channel analysis.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646

(19)

    CVE-2018-12126

      Microarchitectural Store Buffer Data Sampling (MSBDS): Store
      buffers on some microprocessors utilizing speculative execution
      may allow an authenticated user to potentially enable
      information disclosure via a side channel with local access. A
      list of impacted products can be found here:

      https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126

(20)

    CVE-2018-12127

      Microarchitectural Load Port Data Sampling (MLPDS): Load ports
      on some microprocessors utilizing speculative execution may
      allow an authenticated user to potentially enable information
      disclosure via a side channel with local access. A list of
      impacted products can be found here:

      https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127
(21)
    
    CVE-2018-12130

      Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill
      buffers on some microprocessors utilizing speculative execution
      1may allow an authenticated user to potentially enable
      information disclosure via a side channel with local access. A
      list of impacted products can be found here:

      https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130

(22)

    CVE-2019-11135

      TSX Asynchronous Abort condition on some CPUs utilizing
      speculative execution may allow an authenticated user to potentially
      enable information disclosure via a side channel with local access.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135

(23)

    CVE-2021-2341

      Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition
      product of Oracle Java SE (component: Networking). Supported
      versions that are affected are Java SE: 7u301, 8u291, 11.0.11,
      16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and
      21.1.0. Difficult to exploit vulnerability allows
      unauthenticated attacker with network access via multiple
      protocols to compromise Java SE, Oracle GraalVM Enterprise
      Edition. Successful attacks require human interaction from a
      person other than the attacker. Successful attacks of this
      vulnerability can result in unauthorized read access to a subset
      of Java SE, Oracle GraalVM Enterprise Edition accessible
      data. Note: This vulnerability applies to Java deployments,
      typically in clients running sandboxed Java Web Start
      applications or sandboxed Java applets, that load and run
      untrusted code (e.g., code that comes from the internet) and
      rely on the Java sandbox for security. This vulnerability does
      not apply to Java deployments, typically in servers, that load
      and run only trusted code (e.g., code installed by an
      administrator). CVSS 3.1 Base Score 3.1 (Confidentiality
      impacts). CVSS Vector:
      (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2341

(24)

    CVE-2021-2369

      Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition
      product of Oracle Java SE (component: Library). Supported
      versions that are affected are Java SE: 7u301, 8u291, 11.0.11,
      16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and
      21.1.0. Easily exploitable vulnerability allows unauthenticated
      attacker with network access via multiple protocols to
      compromise Java SE, Oracle GraalVM Enterprise
      Edition. Successful attacks require human interaction from a
      person other than the attacker. Successful attacks of this
      vulnerability can result in unauthorized update, insert or
      delete access to some of Java SE, Oracle GraalVM Enterprise
      Edition accessible data. Note: This vulnerability applies to
      Java deployments, typically in clients running sandboxed Java
      Web Start applications or sandboxed Java applets, that load and
      run untrusted code (e.g., code that comes from the internet) and
      rely on the Java sandbox for security. This vulnerability does
      not apply to Java deployments, typically in servers, that load
      and run only trusted code (e.g., code installed by an
      administrator). CVSS 3.1 Base Score 4.3 (Integrity
      impacts). CVSS Vector:
      (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2369

(25)

    CVE-2021-2388

      Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition
      product of Oracle Java SE (component: Hotspot). Supported
      versions that are affected are Java SE: 8u291, 11.0.11, 16.0.1;
      Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Difficult
      to exploit vulnerability allows unauthenticated attacker with
      network access via multiple protocols to compromise Java SE,
      Oracle GraalVM Enterprise Edition. Successful attacks require
      human interaction from a person other than the
      attacker. Successful attacks of this vulnerability can result in
      takeover of Java SE, Oracle GraalVM Enterprise Edition. Note:
      This vulnerability applies to Java deployments, typically in
      clients running sandboxed Java Web Start applications or
      sandboxed Java applets, that load and run untrusted code (e.g.,
      code that comes from the internet) and rely on the Java sandbox
      for security. This vulnerability does not apply to Java
      deployments, typically in servers, that load and run only
      trusted code (e.g., code installed by an administrator). CVSS
      3.1 Base Score 7.5 (Confidentiality, Integrity and Availability
      impacts). CVSS Vector:
      (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2388

(26)

    CVE-2021-2432

      Vulnerability in the Java SE product of Oracle Java SE
      (component: JNDI). The supported version that is affected is
      Java SE: 7u301. Difficult to exploit vulnerability allows
      unauthenticated attacker with network access via multiple
      protocols to compromise Java SE. Successful attacks of this
      vulnerability can result in unauthorized ability to cause a
      partial denial of service (partial DOS) of Java SE. Note: This
      vulnerability applies to Java deployments, typically in clients
      running sandboxed Java Web Start applications or sandboxed Java
      applets, that load and run untrusted code (e.g., code that comes
      from the internet) and rely on the Java sandbox for
      security. This vulnerability can also be exploited by using APIs
      in the specified Component, e.g., through a web service which
      supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability
      impacts). CVSS Vector:
      (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2432

(27)

    2.4 Java Virtual Machine (JVM)

      The following table lists the Java Virtual Machine (JVM) support
      requirements for release 12.8.06:

      | SiteMinder Component     | Java Runtime Environment                          |
      |--------------------------+---------------------------------------------------|
      | Policy Server            | AdoptOpenJDK 11 (or later updates on 11.x) 64 bit |
      | Policy Server SDK 64 bit | AdoptOpenJDK 11 (or later updates on 11.x) 64 bit |
      | Access Gateway           | AdoptOpenJDK 11 (or later updates on 11.x) 64 bit |
      |                          |                                                   |

      The following table lists the Java Virtual Machine (JVM) support
      requirements for release 12.8.03

      | SiteMinder Component     | Java Runtime Environment                                |
      |--------------------------+---------------------------------------------------------|
      | Policy Server            | AdoptOpenJDK 1.8.212 (or later updates on 1.8.x) 64 bit |
      | Policy Server SDK 64 bit | AdoptOpenJDK 1.8.212 (or later updates on 1.8.x) 64 bit |
      | Access Gateway           | AdoptOpenJDK 1.8.212 (or later updates on 1.8.x) 64 bit |

      The following table lists the Java Virtual Machine (JVM) support
      requirements for 12.8.02 lower numbered versions:

      | SiteMinder Component     | Java Runtime Environment                          |
      |--------------------------+---------------------------------------------------|
      | Policy Server            | Oracle JDK 1.8 (or later updates on 1.8.x) 64 bit |
      | Policy Server SDK 64 bit | Oracle JDK 1.8 (or later updates on 1.8.x) 64 bit |
      | Access Gateway           | Oracle JDK 1.8 (or later updates on 1.8.x) 64 bit |

    https://ftpdocs.broadcom.com/cadocs/0/contentimages/Symantec%20SiteMinder_12_8_Platform%20Support%20Matrix_1Oct2021.pdf

(28)

    CVE-2018-10115

      Incorrect initialization logic of RAR decoder objects in 7-Zip
      18.03 and before can lead to usage of uninitialized memory,
      allowing remote attackers to cause a denial of service
      (segmentation fault) or execute arbitrary code via a crafted RAR
      archive.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10115

(29)

    CVE-2020-12597

      ** RESERVED ** This candidate has been reserved by an
      organization or individual that will use it when announcing a
      new security problem. When the candidate has been publicized,
      the details for this candidate will be provided.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12597

(30)

   CVE-2020-12597: Uncaught Exception vulnerability

     Install the latest build of one of the affected products.  New
     versions contain a fix to this defect.

   https://knowledge.broadcom.com/external/article/217923/cve202012597-uncaught-exception-vulnerab.html

(31)

  Upgrading
  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/upgrading.html