OpenSSL 1.0.2zi and older vulnerabilities on Siteminder Agent for Sharepoint
search cancel

OpenSSL 1.0.2zi and older vulnerabilities on Siteminder Agent for Sharepoint

book

Article ID: 366732

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

Vulnerabilities with OpenSSL 1.0.2zh and have been reported.  Siteminder bundles OpenSSL on the Agent for Sharepoint.

Symantec Siteminder Agent for Sharepoint bundles OpenSSL 1.0.2 with the following versions of r12.52 SP01:

Sharepoint Agent r12.52 SP01:             OpenSSL 1.0.1
Sharepoint Agent r12.52 SP01 CR02:   OpenSSL 1.0.1o
Sharepoint Agent r12.52 SP01 CR04:   OpenSSL 1.0.1p
Sharepoint Agent r12.52 SP01 CR05:   OpenSSL 1.0.1p
Sharepoint Agent r12.52 SP01 CR05:   OpenSSL 1.0.2g
Sharepoint Agent r12.52 SP01 CR06:   OpenSSL 1.0.2h
Sharepoint Agent r12.52 SP01 CR07:   OpenSSL 1.0.2k
Sharepoint Agent r12.52 SP01 CR08:   OpenSSL 1.0.2l
Sharepoint Agent r12.52 SP01 CR09:   OpenSSL 1.0.2o
Sharepoint Agent r12.52 SP01 CR10:   OpenSSL 1.0.2r
Sharepoint Agent r12.52 SP01 CR11:   OpenSSL 1.0.2u

There have been a number of vulnerabilities in OpenSSL 1.0.2 which are remediated in OpenSSL 1.0.2zj.  This KB delivers an upgradable version of OpenSSL 1.0.2zj that can be used to upgrade Siteminder Sharepoint Agent r12.52 SP01 and higher.

Environment

PRODUCT: Siteminder
COMPONENT: Agent for Sharepoint
OPERATING SYSTEM: ANY
VERSION: 12.52 SP01 and later

Cause

=========================
CVE-2024-0727  PKCS12 Decoding crashes

SEVERITY: Low

Fixed: OpenSSL 1.0.2zj

-------------------------
CVE-2023-5678 Excessive time spent in DH check / generation with large Q parameter value

SEVERITY: Low

Fixed: OpenSSL 1.0.2zj

-------------------------
CVE-2023-3817 Excessive time spent checking DH q parameter value

SEVERITY: Low

Fixed: OpenSSL 1.0.2zj

-------------------------
CVE-2023-3446 Excessive time spent checking DH keys and parameters

SEVERITY: Low

Fixed: OpenSSL 1.0.2zj

=========================

Resolution

Upgrade OpenSSL on Siteminder Access Gateway servers to OpenSSL 1.0.2zj

 

NOTE: OpenSSL 1.0.2zj for Access Gateway on WINDOWS has version specific updates for OpenSSL 1.0.2zj

r12.8.6 and Higher on Windows:  openssl102zj_win64_12806_and_above.zip

r12.8.5 and Lower on Windows:    openssl_102zj_windows_12805_andBelow.zip

The following upgrade binaries are attached at the bottom of this KB:

openssl102zj_win64_12806_and_above.zip

openssl102zj_linux.zip

 

###### UPGRADE INSTRUCTIONS ######

---------------------------------------------------
OpenSSL 1.0.2zj on Linux Installation Instructions
---------------------------------------------------

1) Copy "openssl102zj_linux.zip" to the Access Gateway Server

2) Unzip "openssl102zj_linux.zip"

Unzip openssl102zj_linux.zip

3) Stop the Access Gateway Server.

4) Navigate to the '<InstallDir>/CA/secure-proxy/' directory.

5) Note the permissions on the contents of the '<InstallDir>/CA/secure-proxy/SSL/bin' directory.

6) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/bin' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/bin/c_rehash
<InstallDir>/CA/secure-proxy/SSL/bin/openssl

7) Copy the contents of the '/openssl102zj_linux/SSL/bin/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/bin/ directory.

CONTENTS:

openssl

EXAMPLE: cp -r /openssl102zj_linux/SSL/bin/* /<InstallDir>/CA/secure-proxy/SSL/bin/

8) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/lib/' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so
<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so.1.0.0
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so.1.0.0

9) Copy the contents of the '/openssl102zj_linux/SSL/lib/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/lib/' directory.

CONTENTS:

libcrypto.so
libcrypto.so.1.0.0
libssl.so
libssl.so.1.0.0

EXAMPLE: cp -r /openssl102zj_linux/SSL/lib/* ./<InstallDir>/CA/secure-proxy/SSL/lib/

10) Re-set the permissions on the copied files.

11) Re-source the environment variables;

. ./ca_sps_env.sh

13) Re-start the Access Gateway.

./proxy-engine/sps-ctl start

 


---------------------------------------------------
OpenSSL 1.0.2zj Windows Installation Instructions
---------------------------------------------------

NOTE: OpenSSL 1.0.2zj for Access Gateway on WINDOWS applies to Access Gateway 12.8.6 and higher.

1) Copy "openssl102zj_win64_12806_and_above.zip" to the Access Gateway Server

2) Unzip "openssl102zj_win64_12806_and_above.zip"

3) Stop the Access Gateway server

4) Browse to the "<Install_Dir>\CA\secure-proxy\SSL\bin\" directory in Access Gateway

Default: <Install_Dir> = C:\Program Files\

5) Back-up either the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory, or the following files:

<Install_Dir>\CA\secure-proxy\SSL\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\SSL\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\SSL\bin\ssleay32.dll

6) Copy the contents of '\openssl_1.0.2zi_win64_12806_and_above_1695394819364\SSL\bin\' folder to the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory.

CONTENTS:

openssl.exe
libeay32.dll
ssleay32.dll

7) Back-up either the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory, or the following files:

<Install_Dir>\CA\secure-proxy\httpd\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\httpd\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\httpd\bin\ssleay32.dll

8) Copy the contents of '\openssl_1.0.2zi_win64_12806_and_above_1695394819364\SSL\bin\' folder to the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory.

CONTENTS:

openssl.exe
libeay32.dll
ssleay32.dll

9) Start the Access Gateway server

Additional Information

OpenSSL 1.0.2 Vulnerabilities

OpenSSL 1.0.2zi remediates the following CVE's:

CVE-2024-0727
CVE-2023-5678
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-0465
CVE-2023-0466
CVE-2023-0464
CVE-2023-0286
CVE-2023-0215
CVE-2022-4304
CVE-2022-2068
CVE-2022-1292
CVE-2022-0778
CVE-2021-4160
CVE-2021-3712
CVE-2021-23841
CVE-2021-23840
CVE-2021-23839
CVE-2020-1971
CVE-2020-1968
CVE-2019-1551
CVE-2019-1563
CVE-2019-1547
CVE-2019-1552
CVE-2019-1559