CVE-2019-1552 "Windows builds with insecure path defaults"

OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix.

Siteminder Access Gateway: r12.8.x

Operating System: Windows Server

OpenSSL versions 1.0.2 are affected by this issue

Customers can now mitigate this by setting the Openssl supported OPENSSL_CONF environment variable to the desired and safe path.

Example: 

set OPENSSL_CONF=C:\Program Files\CA\secure-proxy\SSL\bin\openssl.cnf

After the environment variable is set or exported, OpenSSL stops reading the configuration file OpenSSL.cnf from the default compiled path /usr/local/ssl, and starts to read from the set path (i.e. "C:\Program Files\CA\secure-proxy\SSL\bin\openssl.cnf").

https://www.openssl.org/news/vulnerabilities.html

https://www.cve.org/CVERecord?id=CVE-2019-1552