OpenSSL 1.0.2zh and older vulnerabilities on Access Gateway r12.8.x
search cancel

OpenSSL 1.0.2zh and older vulnerabilities on Access Gateway r12.8.x

book

Article ID: 274048

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Vulnerability with OpenSSL 1.0.2zh and older on Symantec Siteminder Access Gateway r12.8.x.

Symantec Siteminder Access Gateway bundles OpenSSL 1.0.2 with all versions of r12.8.x

r12.8.0:   OpenSSL 1.0.2q
r12.8.1:   OpenSSL 1.0.2q
r12.8.2:   OpenSSL 1.0.2q
r12.8.3:   OpenSSL 1.0.2r
r12.8.4:   OpenSSL 1.0.2u
r12.8.5:   OpenSSL 1.0.2x
r12.8.6:   OpenSSL 1.0.2za
r12.8.6a: OpenSSL 1.0.2za
r12.8.7:   OpenSSL 1.0.2zf
r12.8.8:   OpenSSL 1.0.2zi

Environment

PRODUCT: Siteminder

COMPONENT: Access Gateway 

VERSION: 12.8.7 and older

Cause

=========================
CVE-2023-3817 Excessive time spent checking DH q parameter value

SEVERITY: Low

Fixed: OpenSSL 1.0.2zi

-------------------------
CVE-2023-3446 Excessive time spent checking DH keys and parameters 

SEVERITY: Low

Fixed: OpenSSL 1.0.2zi
=========================

Resolution

You can upgrade the Siteminder Access Gateway Server to r12.8.8, which is bundled with OpenSSL 1.0.2zi.  This KB includes a standalone upgrade of OpenSSL 1.0.2zi

Upgrade OpenSSL on Siteminder Access Gateway servers to OpenSSL 1.0.2zi

NOTE: Windows has version specific solutions.  Note that the fix for r12.8.6 and higher is different than the fix for r12.8.5 and lower.

The following upgrade binaries are attached at the bottom of this KB:

openssl_1.0.2zi_win64_12806_and_above_1695394819364.zip

openssl_1.0.2zi_linux64bit_1695394799067.zip

 

###### UPGRADE INSTRUCTIONS ######

---------------------------------------------------
OpenSSL 1.0.2zi on Linux Installation Instructions
---------------------------------------------------

1) Copy "openssl_1.0.2zi_linux64bit_1695394799067.zip" to the Access Gateway Server

2) Unzip "openssl_1.0.2zi_linux64bit_1695394799067.zip"

Unzip openssl_1.0.2zi_linux64bit_1695394799067.zip

3) Stop the Access Gateway Server.

4) Navigate to the '<InstallDir>/CA/secure-proxy/' directory.

5) Note the permissions on the contents of the '<InstallDir>/CA/secure-proxy/SSL/bin' directory.

6) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/bin' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/bin/c_rehash
<InstallDir>/CA/secure-proxy/SSL/bin/openssl

7) Copy the contents of the '/ openssl_1.0.2zi_linux64bit_1695394799067/SSL/bin/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/bin/ directory.

CONTENTS:

c_rehash
openssl

EXAMPLE: cp -r / openssl_1.0.2zi_linux64bit_1695394799067/SSL/bin/* /<InstallDir>/CA/secure-proxy/SSL/bin/

8) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/lib/' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so
<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so.1.0.0
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so.1.0.0

9) Copy the contents of the '/ openssl_1.0.2zi_linux64bit_1695394799067/SSL/lib/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/lib/' directory.

CONTENTS:

libcrypto.so
libcrypto.so.1.0.0
libssl.so
libssl.so.1.0.0

EXAMPLE: cp -r / openssl_1.0.2zi_linux64bit_1695394799067/SSL/lib/* ./<InstallDir>/CA/secure-proxy/SSL/lib/

10) Re-set the permissions on the copied files.

11) Re-source the environment variables;

. ./ca_sps_env.sh

13) Re-start the Access Gateway.

./proxy-engine/sps-ctl start

 


---------------------------------------------------
OpenSSL 1.0.2zi Windows Installation Instructions
---------------------------------------------------

1) Copy "openssl_1.0.2zi_win64_12806_and_above_1695394819364.zip" to the Access Gateway Server

2) Unzip "openssl_1.0.2zi_win64_12806_and_above_1695394819364.zip"

3) Stop the Access Gateway server

4) Browse to the "<Install_Dir>\CA\secure-proxy\SSL\bin\" directory in Access Gateway

Default: <Install_Dir> = C:\Program Files\

5) Back-up either the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory, or the following files:

<Install_Dir>\CA\secure-proxy\SSL\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\SSL\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\SSL\bin\ssleay32.dll

6) Copy the contents of '\openssl_1.0.2zi_win64_12806_and_above_1695394819364\SSL\bin\' folder to the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory.

CONTENTS:

openssl.exe
libeay32.dll
ssleay32.dll

7) Back-up either the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory, or the following files:

<Install_Dir>\CA\secure-proxy\httpd\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\httpd\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\httpd\bin\ssleay32.dll

8) Copy the contents of '\openssl_1.0.2zi_win64_12806_and_above_1695394819364\SSL\bin\' folder to the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory.

CONTENTS:

openssl.exe
libeay32.dll
ssleay32.dll

9) Start the Access Gateway server

Additional Information

Additional Information

OpenSSL 1.0.2 Vulnerabilities

OpenSSL 1.0.2zi remediates the following CVE's:

CVE-2023-3817
CVE-2023-3446
CVE-2023-0465
CVE-2023-0466
CVE-2023-0464
CVE-2023-0286
CVE-2023-0215
CVE-2022-4304
CVE-2022-2068
CVE-2022-1292
CVE-2022-0778
CVE-2021-4160
CVE-2021-3712
CVE-2021-23841
CVE-2021-23840
CVE-2021-23839
CVE-2020-1971
CVE-2020-1968
CVE-2019-1551
CVE-2019-1563
CVE-2019-1547
CVE-2019-1552
CVE-2019-1559

Attachments

openssl_1.0.2zi_win64_12806_and_above_1695394819364.zip get_app
openssl_1.0.2zi_linux64bit_1695394799067.zip get_app