CVE-2023-38545 and CVE-2023-38546 vulnerabilities discovered SiteMinder Policy Server Curl lib
search cancel

CVE-2023-38545 and CVE-2023-38546 vulnerabilities discovered SiteMinder Policy Server Curl lib

book

Article ID: 274923

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign-On

Issue/Introduction

Cyber scan finds vulnerability in libcurl library version 7.69 < 8.4.0 as "Heap Buffer Overflow" (1) and "Cookie Injection" (2).

In Policy Server installed libraries:

/{home_policy_server}/lib/libcurl.so.4.8.0

or for other versions:

/{home_policy_server}/lib/libcurl.so.4.4.0

Is this something that needs to be patched or is it a false positive?

Environment

Policy Server 12.8.x and 12.9.x

Resolution

CVE-2023-38545 and CVE-2023-38546 are false positives.

The SiteMinder Suite of products is not vulnerable to CVE-2023-38545 or CVE-2023-38546.

CVE-2023-38545 is not applicable to SiteMinder as it does not use PROXY functionality with libcurl (1).

CVE-2023-38546 is not applicable because we do not use the function that is responsible for the vulnerability (2).

If the above CVEs are flagged on the system by vulnerability scans please the notify local security team that the SiteMinder products are not susceptible.

Additional Information

  1. CVE-2023-38545 SOCKS5 heap buffer overflow

  2. CVE-2023-38546 cookie injection with none file

Powered by Wolken Software