ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

OpenSSL 1.0.2zd reported vulnerability

book

Article ID: 241706

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

OpenSSL 1.0.2zd vulnerability on Siteminder Access Gateway r12.8.x.

Symantec Siteminder Access Gateway bundles OpenSSL 1.0.2 with all versions of r12.8.x

r12.8.1: OpenSSL 1.0.2q
r12.8.1: OpenSSL 1.0.2q
r12.8.2: OpenSSL 1.0.2q
r12.8.3: OpenSSL 1.0.2r
r12.8.4: OpenSSL 1.0.2u
r12.8.5: OpenSSL 1.0.2x
r12.8.6: OpenSSL 1.0.2za
r12.8.6a: OpenSSL 1.0.2za

Vulnerabilities have been reported on various versions of OpenSSL 1.0.2 all the way through to 1.0.2zd.  This impacts all GA versions of Symantec Siteminder Access Gateway up to and including r12.8.6a.

Cause

CVE-2022-1292 

Component: OpenSSL
Versions Impacted: 1.0.2 - 1.0.2zd
Severity: Moderate

DESCRIPTION:

The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Reported by Elison Niven (Sophos).

Fixed in OpenSSL 1.0.2ze

Environment

Release : 12.8.6a

Component : Siteminder Access Gateway

Resolution

Upgrade the OpenSSL in all Siteminder Access Gateways to OpenSSL 1.0.2ze

NOTE: 

WINDOWS
r12.8.6 and higher on Windows: openssl102ze_win64_12806.zip
r12.8.5 and Lower on Windows: openssl102ze_win64_12805.zip
r12.8.6a and lower on Linux: openssl1.0.2ze_linux64bit.zip

###### UPGRADE INSTRUCTIONS ######

---------------------------------------------------
OpenSSL 1.0.2ze on Linux Installation Instructions
---------------------------------------------------

1) Copy "openssl1.0.2ze_linux64bit.zip" to the Access Gateway Server

2) Unzip "openssl1.0.2ze_linux64bit.zip"

Unzip openssl1.0.2ze_linux64bit.zip

3) Stop the Access Gateway Server.

4) Navigate to the '<InstallDir>/CA/secure-proxy' directory.

5) Note the permissions on the '<InstallDir>/CA/secure-proxy/SSL/' directory.

6) Backup the '<InstallDir>/CA/secure-proxy/SSL/' directory.

7) Copy '/1.0.2ze_linux64bit/Release/bin/openssl' to the '/<Intall_Dir>/CA/secure-proxy/SSL/bin/bin drectory.

cp -r /1.0.2ze_linux64bit/Release/bin/openssl /<InstallDir>/CA/secure-proxy/SSL/bin/openssl

8) Copy the library files from '/1.0.2ze_linux64bit/Release/lib/' to the '/<Intall_Dir>/CA/secure-proxy/SSL/lib/' directory.

cp -r /Release_openssl102ze_linux64/Release/lib/lib* ./<InstallDir>/CA/secure-proxy/SSL/lib/

9) Re-set the permissions on the copied files.

10) Re-source the environment variables;

. ./ca_sps_env.sh

11) Re-start the Access Gateway.

./proxy-engine/sps-ctl start

 

---------------------------------------------------
   OpenSSL 1.0.2ze Windows Installation Instructions
---------------------------------------------------

1) Stop the Access Gateway server

2) Browse to the "<Install_Dir>\CA\secure-proxy\SSL\bin\" directory in Access Gateway

Default: C:\Program Files\CA\secure-proxy\SSL\

3) Back-up the following files:

<Install_Dir>\CA\secure-proxy\SSL\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\SSL\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\SSL\bin\ssleay32.dll

4) Replace with the files from "openssl_102ze_win64bit.zip"

5) Browse to the "<Install_Dir>\CA\secure-proxy\HTTPD\bin\" directory in Access Gateway

Default: C:\Program Files\CA\secure-proxy\HTTPD\

6) Back-up the following files:

<Install_Dir>\CA\secure-proxy\HTTPD\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\HTTPD\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\HTTPD\bin\ssleay32.dll

7) Replace with the files from "openssl_102ze_win64bit.zip"

8) Start the Access Gateway server

Attachments

openssl102ze_linux_1652461342423.zip get_app
openssl102ze_12806_win64_1652461309103.zip get_app
openssl102ze_12805_win64_1652460899527.zip get_app