Apache 2.4.55 Vulnerability on Siteminder Access Gateway
search cancel

Apache 2.4.55 Vulnerability on Siteminder Access Gateway

book

Article ID: 262099

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Siteminder Access Gateway ships bundled with an instance of Apache HTTP Server.  The following is a list of Apache HTTP Server by Siteminder Access Gateway version:

Access Gateway r12.8.4:  Apache HTTP Server 2.4.43
Access Gateway r12.8.5:  Apache HTTP Server 2.4.46
Access Gateway r12.8.6:  Apache HTTP Server 2.4.48
Access Gateway r12.8.6a:  Apache HTTP Server 2.4.52
Access Gateway r12.8.7:  Apache HTTP Server 2.4.54

KB 258771 delivers Apache HTTP Server 2.4.55 for Access Gateway Server

Environment

Siteminder Access Gateway 

Release : 12.8.7 and older

Cause

CVE-2023-25690: HTTP request splitting with mod_rewrite and mod_proxy

Severity: Important

Description: Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.

Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.

Impacted Versions: <=2.4.55

Remediation: Apache HTTP 2.4.56

-----------------------------------

CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting

Severity: Moderate

Description: HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.

Special characters in the origin response header can truncate/split the response forwarded to the client.

Impacted Versions: <=2.4.55

Remediation: Apache HTTP 2.4.56

Resolution

All published vulnerabilities impacting Apache 2.4.55 or older can be remediated with Apache 2.4.56.  This release is a cumulative fix for all published vulnerabilities impacting Apache 2.4.55 and older releases on the 2.4.x platform.

Note: 

1) Apache-2.4.56_win_12.8.6_and_higher_1678991854235.zip -> Applies to 12.8.06 and above Versions of Access Gateway
2) Apache-2.4.56_win_12.8.5_and_lower_1678979641364.zip  -> Applies to 12.8.05 and below versions of Access Gateway
3) httpd2456_linux_1694465160077.zip ---------------------------> Applies to any version of 12.8.x Access Gateway

PRE-REQUISITE: OpenSSL 1.0.2zh (See KB 265006)

KB 265006: OpenSSL 1.0.2zh for Siteminder Access Gateway

 

---------------------------------------------------
Windows
---------------------------------------------------

1. Stop the running Access Gateway Server

2. Using File Explorer, navigate to the Access Gateway installation directory

<Install_Dir> (Default ): C:\program files\CA\secure-proxy\

3. Back-up the original 'httpd' directory <httpd_orig>

<Install_Dir>\CA\secure-proxy\httpd

4. Unzip the attached zip file which is appropriate to your version of Access Gateway on Windows and copy the 'httpd' folder to C:\program files\CA\secure-proxy\

5. Copy the the 'conf' directory from the original  <httpd_orig>  into  <Install_Dir>/CA/secure-proxy/httpd

cp -r <httpd_orig>/conf  httpd/

6. Copy the the 'configssl.bat' file from the original  "<Install_Dir>/CA/secure-proxy/httpd/bin"  into  <Install_Dir>/CA/secure-proxy/httpd/bin

cp <Install_Dir>/CA/secure-proxy/httpd/bin/configssl.bat <Install_Dir>/CA/secure-proxy/httpd/bin/

8. Upgrade to OpenSSL 1.0.2zh as per KB 265006: OpenSSL 1.0.2zh for Siteminder Access Gateway

9. Start the Access Gateway Server.

---------------------------------------------------
Linux 
---------------------------------------------------
 
1. Stop the running Access Gateway Server

2. Navigate to the Access Gateway installation directory 

<Install_Dir> (Default ): /opt/CA/secure-proxy/

3. Back-up the original 'httpd' directory <httpd_orig>

<Install_Dir>/CA/secure-proxy/httpd

4. Unzip the attached 'Apache-2.4.56-linux_1678991888021.zip' file and copy the 'httpd' folder to <Install_Dir>/CA/secure-proxy/

5. Copy the following files from the original  <httpd_orig>  into  <Install_Dir>/CA/secure-proxy/httpd

cp -r httpd_orig/conf  httpd/
cp httpd_orig/bin/apachectl httpd/bin/
cp httpd_orig/bin/apr-1-config  httpd/bin/
cp httpd_orig/bin/apu-1-config httpd/bin/
cp httpd_orig/bin/apxs httpd/bin/
cp httpd_orig/bin/envvars httpd/bin/
cp httpd_orig/bin/envvars-std  httpd/bin/

6. Upgrade to OpenSSL 1.0.2zg as per KB 260380: OpenSSL 1.0.2zh for Siteminder Access Gateway

7. Start the Access Gateway Server.

 

 

 

 

Additional Information

RELATED KB's:

KB 265006: OpenSSL 1.0.2zh for Siteminder Access Gateway

 

Upgrading to Apache HTTP Server 2.4.56 will remediate the following CVE's:

CVE-2023-25690
CVE-2023-27522
CVE-2006-20001
CVE-2022-36760
CVE-2022-37436
CVE-2022-26377
CVE-2022-28330
CVE-2022-28614
CVE-2022-28615
CVE-2022-29404
CVE-2022-30522
CVE-2022-30556
CVE-2022-31813
CVE-2022-22719
CVE-2022-22720
CVE-2022-22721
CVE-2022-23943
CVE-2021-44224
CVE-2021-44790
CVE-2021-42013
CVE-2021-41524
CVE-2021-41773
CVE-2021-33193
CVE-2021-34798
CVE-2021-36160
CVE-2021-39275
CVE-2021-40438
CVE-2019-17567
CVE-2020-13938
CVE-2020-13950
CVE-2020-35452
CVE-2021-26690
CVE-2021-26691
CVE-2021-30641
CVE-2021-31618
CVE-2020-9490
CVE-2020-11984
CVE-2020-11993

 

 

Attachments

httpd2456_linux_1694465160077.zip get_app
Apache-2.4.56_win_12.8.6_and_higher_1678991854235.zip get_app
Apache-2.4.56_win_12.8.5_and_lower_1678979641364.zip get_app
Powered by Wolken Software