Upgrade Apache to 2.4.55 on 12.8.x Siteminder Access Gateway - CVE-2022-36760
search cancel

Upgrade Apache to 2.4.55 on 12.8.x Siteminder Access Gateway - CVE-2022-36760

book

Article ID: 259400

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder)

Issue/Introduction

Siteminder Access Gateway ships bundled with an instance of Apache HTTP Server.  The following is a list of Apache HTTP Server by Siteminder Access Gateway verion:

Access Gateway r12.8.4:  Apache HTTP Server 2.4.43
Access Gateway r12.8.5:  Apache HTTP Server 2.4.46
Access Gateway r12.8.6:  Apache HTTP Server 2.4.48
Access Gateway r12.8.6a:  Apache HTTP Server 2.4.52
Access Gateway r12.8.7:  Apache HTTP Server 2.4.54

KB 262099 delivers Apache HTTP Server 2.4.56 for Access Gateway Server.

KB 262099: Apache HTTP Server 2.4.56 for Access Gateway Server.

 

The following vulnerability and remediation's were published by apache.org. Which requires Apache component in SiteMinder Access Gateway to be upgraded to 2.4.55.

====================================

CVE-2006-20001 moderate: mod_dav out of bounds read, or write of zero byte
Severity: moderate

Description: A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash.

Impacts: <=2.4.54

---------------------------------------------------
CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp Possible request smuggling
Severity: moderate

Description: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.

Impacts: <=2.4.54

---------------------------------------------------
CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting
Severity: moderate

Description: Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.

Impacts: <=2.4.54

====================================

https://nvd.nist.gov/vuln/detail/CVE-2022-36760

https://httpd.apache.org/security/vulnerabilities_24.html

Environment

Release : 12.8.x

Component : Siteminder Access Gateway Server

Operating System: Linux / Windows

Resolution

This KB is superseded by KB 262099 which delivers Apache HTTP Server 2.4.56 for Access Gateway Server.

KB 262099: Apache HTTP Server 2.4.56 for Access Gateway Server.

 

Powered by Wolken Software