search cancel

Vulnerability CVE-2022-26134 in AdminUI and CA Access Gateway (SPS)

book

Article ID: 244296

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

 

When running Siteminder, are some components such as AdminUI and CA Access Gateway (SPS) affected by the CVE:

  CVE-2022-26134 (1)?

 

Environment

 

AdminUI 12.8SP6
CA Access Gateway (SPS) 12.8SP6

 

Resolution

 

This vulnerability does not have any impact on SiteMinder components.

This vulnerability is an OGNL injection vulnerability that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.

What is OGNL injection (OGNL)?

Object-Graph Navigation Language is an open-source Expression Language (EL) for Java objects. Specifically, OGNL enables the evaluation of EL expressions in Apache Struts, which is the commonly used by development framework for Java-based web applications in enterprise environments.

Does OGNL have any impact on SiteMinder?

OGNL enables the evaluation of EL expressions in Apache Struts, SiteMinder directly doesn't use any struts but will be used by the IAM framework for the Management console. As the IAM framework Management console is being disabled SiteMinder installer removes the struts components during the installation process. Therefore, there is no choice of execution of Apache struts bound to happen. Henceforth SiteMinder components are safe from OGNL injection vulnerability.

 

Additional Information

 

(1)

    CVE-2022-26134