Concerned whether the following CVE's for OpenSSL impact any Siteminder components, since Siteminder bundles OpenSSL with the Policy Server, Access Gateway and the Agent for Sharepoint.

CVE-2022-3786: X.509 Email Address Variable Length Buffer Overflow

• Versions Impacted: OpenSSL 3.0.0 before 3.0.7 

CVE-2022-3602: X.509 Email Address 4-byte Buffer Overflow

• Versions Impacted: Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6) 

 

PRODUCT: Symantec Siteminder

COMPONENT: ALL

OS: ANY

CVE-2022-3786: X.509 Email Address Variable Length Buffer Overflow

• Versions Impacted: OpenSSL 3.0.0 before 3.0.7 

CVE-2022-3602: X.509 Email Address 4-byte Buffer Overflow

• Versions Impacted: Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6) 

There are no Siteminder components impacted by these CVE's.  Siteminder ships with OpenSSL 1.0.2 up to r12.8.8.1.  These CVE's are for OpenSSL 3.0.x which are not bundled on any Siteminder components up to r12.8.8.1.

Symantec Security Advisory for OpenSSL CVE-2022-3786 | CVE-2022-3602

CVE-2022-3786: X.509 Email Address Variable Length Buffer Overflow

CVE-2022-3602: X.509 Email Address 4-byte Buffer Overflow