OpenSSL 1.0.2zi and older vulnerabilities on Access Gateway r12.8.x
search cancel

OpenSSL 1.0.2zi and older vulnerabilities on Access Gateway r12.8.x

book

Article ID: 280151

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Vulnerability with OpenSSL 1.0.2zi and older on Symantec Siteminder Access Gateway r12.8.x.

Symantec Siteminder Access Gateway bundles OpenSSL 1.0.2 with all versions of r12.8.x

r12.8.0:   OpenSSL 1.0.2q
r12.8.1:   OpenSSL 1.0.2q
r12.8.2:   OpenSSL 1.0.2q
r12.8.3:   OpenSSL 1.0.2r
r12.8.4:   OpenSSL 1.0.2u
r12.8.5:   OpenSSL 1.0.2x
r12.8.6:   OpenSSL 1.0.2za
r12.8.6a: OpenSSL 1.0.2za
r12.8.7:   OpenSSL 1.0.2zf
r12.8.8:   OpenSSL 1.0.2zi

KB  274048 delivers OpenSSL 1.0.2zi

 

Environment

PRODUCT: Siteminder

COMPONENT: Access Gateway 

OPERATING SYSTEM: ANY

VERSION: 12.8.6 and older

Cause

=========================
CVE-2024-0727  PKCS12 Decoding crashes

SEVERITY: Low

Fixed: OpenSSL 1.0.2zj

-------------------------
CVE-2023-5678 Excessive time spent in DH check / generation with large Q parameter value

SEVERITY: Low

Fixed: OpenSSL 1.0.2zj

-------------------------
CVE-2023-3817 Excessive time spent checking DH q parameter value

SEVERITY: Low

Fixed: OpenSSL 1.0.2zj

-------------------------
CVE-2023-3446 Excessive time spent checking DH keys and parameters

SEVERITY: Low

Fixed: OpenSSL 1.0.2zj

=========================

Resolution

Upgrade OpenSSL on Siteminder Access Gateway servers to OpenSSL 1.0.2zj

 

NOTE: OpenSSL 1.0.2zj for Access Gateway on WINDOWS has version specific updates for OpenSSL 1.0.2zj

r12.8.6 and Higher on Windows:  openssl102zj_win64_12806_and_above.zip

r12.8.5 and Lower on Windows:    openssl_102zj_windows_12805_andBelow.zip

The following upgrade binaries are attached at the bottom of this KB:

openssl102zj_win64_12806_and_above.zip

openssl102zj_linux.zip

 

###### UPGRADE INSTRUCTIONS ######

---------------------------------------------------
OpenSSL 1.0.2zj on Linux Installation Instructions
---------------------------------------------------

1) Copy "openssl102zj_linux.zip" to the Access Gateway Server

2) Unzip "openssl102zj_linux.zip"

Unzip openssl102zj_linux.zip

3) Stop the Access Gateway Server.

4) Navigate to the '<InstallDir>/CA/secure-proxy/' directory.

5) Note the permissions on the contents of the '<InstallDir>/CA/secure-proxy/SSL/bin' directory.

6) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/bin' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/bin/c_rehash
<InstallDir>/CA/secure-proxy/SSL/bin/openssl

7) Copy the contents of the '/openssl102zj_linux/SSL/bin/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/bin/ directory.

CONTENTS:

openssl

EXAMPLE: cp -r /openssl102zj_linux/SSL/bin/* /<InstallDir>/CA/secure-proxy/SSL/bin/

8) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/lib/' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so
<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so.1.0.0
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so.1.0.0

9) Copy the contents of the '/openssl102zj_linux/SSL/lib/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/lib/' directory.

CONTENTS:

libcrypto.so
libcrypto.so.1.0.0
libssl.so
libssl.so.1.0.0

EXAMPLE: cp -r /openssl102zj_linux/SSL/lib/* ./<InstallDir>/CA/secure-proxy/SSL/lib/

10) Re-set the permissions on the copied files.

11) Re-source the environment variables;

. ./ca_sps_env.sh

13) Re-start the Access Gateway.

./proxy-engine/sps-ctl start

 


---------------------------------------------------
OpenSSL 1.0.2zj Windows Installation Instructions
---------------------------------------------------

NOTE: OpenSSL 1.0.2zj for Access Gateway on WINDOWS applies to Access Gateway 12.8.6 and higher.

1) Copy "openssl102zj_win64_12806_and_above.zip" to the Access Gateway Server

2) Unzip "openssl102zj_win64_12806_and_above.zip"

3) Stop the Access Gateway server

4) Browse to the "<Install_Dir>\CA\secure-proxy\SSL\bin\" directory in Access Gateway

Default: <Install_Dir> = C:\Program Files\

5) Back-up either the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory, or the following files:

<Install_Dir>\CA\secure-proxy\SSL\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\SSL\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\SSL\bin\ssleay32.dll

6) Copy the contents of '\openssl_1.0.2zi_win64_12806_and_above_1695394819364\SSL\bin\' folder to the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory.

CONTENTS:

openssl.exe
libeay32.dll
ssleay32.dll

7) Back-up either the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory, or the following files:

<Install_Dir>\CA\secure-proxy\httpd\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\httpd\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\httpd\bin\ssleay32.dll

8) Copy the contents of '\openssl_1.0.2zi_win64_12806_and_above_1695394819364\SSL\bin\' folder to the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory.

CONTENTS:

openssl.exe
libeay32.dll
ssleay32.dll

9) Start the Access Gateway server

Additional Information

OpenSSL 1.0.2 Vulnerabilities

OpenSSL 1.0.2zi remediates the following CVE's:

CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-0465
CVE-2023-0466
CVE-2023-0464
CVE-2023-0286
CVE-2023-0215
CVE-2022-4304
CVE-2022-2068
CVE-2022-1292
CVE-2022-0778
CVE-2021-4160
CVE-2021-3712
CVE-2021-23841
CVE-2021-23840
CVE-2021-23839
CVE-2020-1971
CVE-2020-1968
CVE-2019-1551
CVE-2019-1563
CVE-2019-1547
CVE-2019-1552
CVE-2019-1559

Attachments

openssl_102zj_windows_12805_andBelow.zip get_app
openssl102zj_win64_12806_and_above.zip get_app
openssl102zj_linux.zip get_app
Powered by Wolken Software