search cancel

Vulnerability with Apache 2.4.53 and older for SiteMinder Agent-for-SharePoint

book

Article ID: 244298

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

Vulnerabilities found in Apache 2.4.53 and their remediation in Apache 2.4.54 as highlighted in apache.org:

CVE-2022-26377   mod_proxy_ajp: Possible request smuggling (moderate severity)
CVE-2022-28330   read beyond bounds in mod_isapi (low severity)
CVE-2022-28614   read beyond bounds via ap_rwrite() (low severity)
CVE-2022-28615   Read beyond bounds in ap_strcmp_match() (low severity)
CVE-2022-29404   Denial of service in mod_lua r:parsebody (low severity)
CVE-2022-30522   mod_sed denial of service (low severity)
CVE-2022-30556   Information Disclosure in mod_lua with websockets (low severity)
CVE-2022-31813   mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism (low severity)


Environment

Release : 12.8.x

Component : CA SITEMINDER AGENT FOR SHAREPOINT

Operating System: Windows

Resolution

Apache release 2.4.54 is a cumulative fix for all published vulnerabilities impacting Apache 2.4.53 and prior.

This patch is for SiteMinder Agent for SharePoint, not standard Access Gateway (SPS).

httpd_2454_win32bit.zip
openssl_1.0.2ze_win32bit.zip


Steps as follow:
---------------------

1) Go to Services console and stop the running Agent for SharePoint
- Stop "SiteMinder Agent for SharePoint"
- Stop "SiteMinder Agent for SharePoint Proxy Engine"

2) Navigate to the Agent installation folder (for example C:\CA\Agent-for-SharePoint\)

3) Backup the original folder "httpd" and rename it as "httpd_orig"

4) Unzip httpd_2454_win32bit.zip

5) Copy extracted httpd folder to C:\CA\Agent-for-SharePoint\
- This will overwrite existing "httpd" folder
- As there is no "conf" folder in httpd_2454_win32bit.zip, there will not be overwritting of configuration folder to the existing "httpd" folder
- A window will prompt to Replace or Skip Files -- choose "Replace the files in the destination"

6) Navigate to SSL/bin folder (for example C:\CA\Agent-for-SharePoint\SSL\bin)

7) Backup the original files in C:\CA\Agent-for-SharePoint\SSL\bin

8) Unzip openssl_102ze_win32.zip

9) Copy extracted files (libeay32.dll, openssl.exe, ssleay32.dll) to C:\CA\Agent-for-SharePoint\SSL\bin
- This will overwrite existing files

10) Go to Services console and start the Agent for SharePoint
- Start "SiteMinder Agent for SharePoint"
- Start ""SiteMinder Agent for SharePoint Proxy Engine"
- Check that the Apache version has changed to 2.4.54

11) Test whether Agent is working by accessing the SharePoint website

Additional Information

It is highly advisable to test in lower environment first

Attachments

openssl_1.0.2ze_win32bit_1655799737477.zip get_app
httpd_2454_win32bit_1655799681199.zip get_app