search cancel

Vulnerabilities with Apache 2.4.53 and older on Siteminder Access Gateway 12.8.x

book

Article ID: 243568

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

The following vulnerabilities and remediation's were published by apache.org.

Fixed in Apache HTTP Server 2.4.54

CVE-2022-26377
SEVERITY: moderate
DESCRIPTION: mod_proxy_ajp: Possible request smuggling
AFFECTS: <=2.4.53
REMEDIATION: 2.4.54

CVE-2022-28330
SEVERITY: low
DESCRIPTION: read beyond bounds in mod_isapi
AFFECTS: <=2.4.53
REMEDIATION: 2.4.54

CVE-2022-28614
SEVERITY: low
DESCRIPTION: read beyond bounds via ap_rwrite()
AFFECTS: <=2.4.53
REMEDIATION: 2.4.54

CVE-2022-28615
SEVERITY: low
DESCRIPTION: Read beyond bounds in ap_strcmp_match()
AFFECTS: <=2.4.53
REMEDIATION: 2.4.54

CVE-2022-29404
SEVERITY: low
DESCRIPTION: Denial of service in mod_lua r:parsebody
AFFECTS: <=2.4.53
REMEDIATION: 2.4.54

CVE-2022-30522
SEVERITY: low
DESCRIPTION: mod_sed denial of service
AFFECTS: 2.4.53
REMEDIATION: 2.4.54

CVE-2022-30556
SEVERITY: low
DESCRIPTION: Information Disclosure in mod_lua with websockets
AFFECTS: <=2.4.53
REMEDIATION: 2.4.54

CVE-2022-31813
SEVERITY: low
DESCRIPTION: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism
AFFECTS: <=2.4.53
REMEDIATION: 2.4.54

Environment

Release : 12.8.x

Component : Siteminder Access Gateway Server

Operating System: Linux / Windows

Resolution

All published vulnerabilities impacting Apache 2.4.53 or older can be remediated with Apache 2.4.54.  This release is a cumulative fix for all published vulnerabilities impacting Apache 2.4.53 and older releases on the 2.4.x platform.  


Download one of the following:

For r12.8.6 and higher on Windows   --> download: httpd_2454_win64_12806_1655402803072.zip

For r12.8.5 and older on Windows     --> download: httpd_2454_win64_12805_1655402874288.zip

For r12.8.x (any version) on Linux     --> download: httpd_2454_linux.zip

 

Upgrade Apache for Access Gateway on Windows

1) Download and unzip 'httpd_2454_win64_1280x.zip' onto Access Gateway server

2) Stop Access gateway instance

3) Navigate to Access Gateway installation directory and backup existing 'httpd' folder by renaming it 'httpd_orig' (location: <CA>/secure-proxy/httpd/)

4) Copy the 'httpd' folder from 'httpd_2454_win64_1280x.zip' to '<CA>/secure-proxy/' folder

5) Restore the '/conf' folder from 'httpd_orig' to the new '<CA>/secure-proxy/httpd/' folder

6) (FOR version 12.8.5 only) Restore files 'configssl.bat', 'openssl.exe', 'libeay32.dll' and 'ssleay32.dll' from 'httpd_orig' to the new '<CA>/secure-proxy/httpd/bin/' folder

7) Restart Access Gateway instance

 

Upgrade Apache for Access Gateway on Linux

1)    Stop the running Access gateway.

2)    Navigate to the Access Gateway installation directory /opt/CA/secure-proxy/

3)    take the back up of original folder /httpd to /httpd_orig

4)    Unzip the attachment file and change the permissions appropriately (755) for all files, then copy the <patch>/Release/ folder to /opt/CA/secure-proxy/httpd/

cp -r /<patchdir>/httpd/* /opt/CA/secure-proxy/httpd/

5)    copy below files from original  /httpd_orig  to  /httpd

cp -r httpd_orig/conf  httpd/
cp httpd_orig/bin/apachectl httpd/bin/
cp httpd_orig/bin/apr-1-config  httpd/bin/
cp httpd_orig/bin/apu-1-config httpd/bin/
cp httpd_orig/bin/apxs httpd/bin/
cp httpd_orig/bin/envvars httpd/bin/
cp httpd_orig/bin/envvars-std  httpd/bin/

6)    Start the Access Gateway.

Attachments

httpd_2.4.54_Linux_1655912355103.zip get_app
httpd_2454_win64_12805_1655402874288.zip get_app
httpd_2454_win64_12806_1655402803072.zip get_app