OpenSSL 1.0.2ze and older vulnerabilities on Access Gateway r12.8.x
search cancel

OpenSSL 1.0.2ze and older vulnerabilities on Access Gateway r12.8.x


Article ID: 244937


Updated On:




Vulnerability with OpenSSL 1.0.2zde and older on Symantec Siteminder Access Gateway r12.8.x.

Symantec Siteminder Access Gateway bundles OpenSSL 1.0.2 with all versions of r12.8.x

r12.8.0: OpenSSL 1.0.2q
r12.8.1: OpenSSL 1.0.2q
r12.8.2: OpenSSL 1.0.2q
r12.8.3: OpenSSL 1.0.2r
r12.8.4: OpenSSL 1.0.2u
r12.8.5: OpenSSL 1.0.2x
r12.8.6: OpenSSL 1.0.2za
r12.8.6a: OpenSSL 1.0.2za

Vulnerabilities have been reported on various versions of OpenSSL 1.0.2 all the way through to 1.0.2ze.  This impacts all GA versions of Symantec Siteminder Access Gateway up to and including r12.8.6a.


Release : 12.8.0 - r12.8.6a

Component :  Symantec Siteminder Access Gateway Server



Component: OpenSSL
Versions Impacted: 1.0.2 - 1.0.2ze
Severity: Moderate


(OpenSSL advisory) [Moderate severity] 21 June 2022: In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Reported by Chancen (Qingteng 73lab).

Fixed in OpenSSL 1.0.2zf (git commit) (Affected 1.0.2-1.0.2ze)


Upgrade the OpenSSL in all Siteminder Access Gateways to OpenSSL 1.0.2zf

NOTE: Windows has version specific solutions.  Note that the fix for r12.8.6 and higher is different than the fix for r12.8.5 and lower.

r12.8.6 and higher on Windows:
r12.8.5 and Lower on Windows:
r12.8.6a and lower on Linux:



OpenSSL 1.0.2zf on Linux Installation Instructions

1) Copy "" to the Access Gateway Server

2) Unzip ""


3) Stop the Access Gateway Server.

4) Navigate to the '<InstallDir>/CA/secure-proxy' directory.

5) Note the permissions on the '<InstallDir>/CA/secure-proxy/SSL/' directory.

6) Backup the '<InstallDir>/CA/secure-proxy/SSL/' directory.

7) Copy '/1.0.2zf_linux64bit/Release/bin/openssl' to the '/<Intall_Dir>/CA/secure-proxy/SSL/bin/bin drectory.

cp -r /1.0.2zf_linux64bit/Release/bin/openssl /<InstallDir>/CA/secure-proxy/SSL/bin/openssl

8) Copy the library files from '/1.0.2zf_linux64bit/Release/lib/' to the '/<Intall_Dir>/CA/secure-proxy/SSL/lib/' directory.

cp -r /Release_openssl102zf_linux64/Release/lib/lib* ./<InstallDir>/CA/secure-proxy/SSL/lib/

9) Re-set the permissions on the copied files.

10) Re-source the environment variables;

. ./

11) Re-start the Access Gateway.

./proxy-engine/sps-ctl start


   OpenSSL 1.0.2zf Windows Installation Instructions

1) Stop the Access Gateway server

2) Browse to the "<Install_Dir>\CA\secure-proxy\SSL\bin\" directory in Access Gateway

Default: C:\Program Files\CA\secure-proxy\SSL\

3) Back-up the following files:


4) Replace with the files from ""

5) Browse to the "<Install_Dir>\CA\secure-proxy\HTTPD\bin\" directory in Access Gateway

Default: C:\Program Files\CA\secure-proxy\HTTPD\

6) Back-up the following files:


7) Replace with the files from ""

8) Start the Access Gateway server

Additional Information

In Addition, See and Apply this fix as well:

###### REFERENCES #####

Attachments get_app get_app get_app