ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

OpenSSL 1.0.2zc Vulnerability on Siteminder Access Gateway r12.8.x

book

Article ID: 238097

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

OpenSSL 1.0.2zc vulnerability on Siteminder Access Gateway r12.8.x.

Symantec Siteminder Access Gateway bundles OpenSSL 1.0.2 with all versions of r12.8.x

r12.8.1: OpenSSL 1.0.2q
r12.8.1: OpenSSL 1.0.2q
r12.8.2: OpenSSL 1.0.2q
r12.8.3: OpenSSL 1.0.2r
r12.8.4: OpenSSL 1.0.2u
r12.8.5: OpenSSL 1.0.2x
r12.8.6: OpenSSL 1.0.2za
r12.8.6a: OpenSSL 1.0.2za

Vulnerabilities have been reported on various versions of OpenSSL 1.0.2 all the way through to 1.0.2zc.  This impacts all GA versions of Symantec Siteminder Access Gateway up to and including r12.8.6a.

 

Cause

CVE-2022-0778

IMPACTED: BN_mod_sqrt() function
SEVERITY: High
AFFECTED: 1.0.2 - 1.0.2zc
REMEDIATED: 1.0.2zd

--------------------
CVE-2021-4160

IMPACTED: MIPS32 and MIPS64 squaring procedure
SEVERITY: Moderate
AFFECTED: 1.0.2 - 1.0.2zb
REMEDIATED: 1.0.2zc-dev; 1.0.2zb

Environment

Release : 12.8.0 - r12.8.6a

Component : Access Gateway

Resolution

Upgrade the OpenSSL in all Siteminder Access Gateways to OpenSSL 1.0.2zd

NOTE: 

WINDOWS
r12.8.6 and higher on Windows: openssl102zd_win64_12806.zip
r12.8.5 and Lower on Windows: openssl102zd_win64_12805.zip
r12.8.6a and lower on Linux: openssl1.0.2zd_linux64bit.zip

###### UPGRADE INSTRUCTIONS ######

---------------------------------------------------
OpenSSL 1.0.2zd on Linux Installation Instructions
---------------------------------------------------


1) Copy "1.0.2zd_linux64bit.zip" to the Access Gateway Server

2) Unzip "1.0.2zd_linux64bit.zip"

Unzip 1.0.2zb_linux64bit.zip

3) Stop the Access Gateway Server.

4) Navigate to the '<InstallDir>/CA/secure-proxy' directory.

5) Note the permissions on the '<InstallDir>/CA/secure-proxy/SSL/' directory.

6) Backup the '<InstallDir>/CA/secure-proxy/SSL/' directory.

7) Copy '/1.0.2zd_linux64bit/Release/bin/openssl' to the '/<Intall_Dir>/CA/secure-proxy/SSL/bin/bin drectory.

cp -r /1.0.2zd_linux64bit/Release/bin/openssl /<InstallDir>/CA/secure-proxy/SSL/bin/openssl

8) Copy the library files from '/1.0.2zd_linux64bit/Release/lib/' to the '/<Intall_Dir>/CA/secure-proxy/SSL/lib/' directory.

cp -r /Release_openssl102zd_linux64/Release/lib/lib* ./<InstallDir>/CA/secure-proxy/SSL/lib/

9) Re-set the permissions on the copied files.

10) Re-source the environment variables;

. ./ca_sps_env.sh

11) Re-start the Access Gateway.

./proxy-engine/sps-ctl start

---------------------------------------------------
   OpenSSL 1.0.2zd Windows Installation Instructions
---------------------------------------------------

1) Stop the Access Gateway server

2) Browse to the "<Install_Dir>\CA\secure-proxy\SSL\bin\" directory in Access Gateway

Default: C:\Program Files\CA\secure-proxy\SSL\

3) Back-up the following files:

<Install_Dir>\CA\secure-proxy\SSL\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\SSL\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\SSL\bin\ssleay32.dll

4) Replace with the files from "openssl_102zd_win64bit.zip"

5) Browse to the "<Install_Dir>\CA\secure-proxy\HTTPD\bin\" directory in Access Gateway

Default: C:\Program Files\CA\secure-proxy\HTTPD\

6) Back-up the following files:

<Install_Dir>\CA\secure-proxy\HTTPD\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\HTTPD\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\HTTPD\bin\ssleay32.dll

7) Replace with the files from "openssl_102zd_win64bit.zip"

8) Start the Access Gateway server

Additional Information

https://www.openssl.org/news/vulnerabilities-1.0.2.html

Attachments

openssl102zd_win64_12806_1648585583614.zip get_app
openssl102zd_win64_12805_1648585567789.zip get_app
openssl1.0.2zd_linux64bit_1648585530650.zip get_app