Vulnerabilities with OpenSSL 1.0.2zh and have been reported. Siteminder bundles OpenSSL on the Agent for Sharepoint.
Symantec Siteminder Agent for Sharepoint bundles OpenSSL 1.0.2 with the following versions of r12.52 SP01:
Sharepoint Agent r12.52 SP01: OpenSSL 1.0.1
Sharepoint Agent r12.52 SP01 CR02: OpenSSL 1.0.1o
Sharepoint Agent r12.52 SP01 CR04: OpenSSL 1.0.1p
Sharepoint Agent r12.52 SP01 CR05: OpenSSL 1.0.1p
Sharepoint Agent r12.52 SP01 CR05: OpenSSL 1.0.2g
Sharepoint Agent r12.52 SP01 CR06: OpenSSL 1.0.2h
Sharepoint Agent r12.52 SP01 CR07: OpenSSL 1.0.2k
Sharepoint Agent r12.52 SP01 CR08: OpenSSL 1.0.2l
Sharepoint Agent r12.52 SP01 CR09: OpenSSL 1.0.2o
Sharepoint Agent r12.52 SP01 CR10: OpenSSL 1.0.2r
Sharepoint Agent r12.52 SP01 CR11: OpenSSL 1.0.2u
There have been a number of vulnerabilities in OpenSSL 1.0.2 which are remediated in OpenSSL 1.0.2zj. This KB delivers an upgradable version of OpenSSL 1.0.2zj that can be used to upgrade Siteminder Sharepoint Agent r12.52 SP01 and higher.
PRODUCT: Siteminder
COMPONENT: Agent for Sharepoint
OPERATING SYSTEM: ANY
VERSION: 12.52 SP01 and later
=========================
CVE-2024-0727 PKCS12 Decoding crashes
SEVERITY: Low
Fixed: OpenSSL 1.0.2zj
-------------------------
CVE-2023-5678 Excessive time spent in DH check / generation with large Q parameter value
SEVERITY: Low
Fixed: OpenSSL 1.0.2zj
-------------------------
CVE-2023-3817 Excessive time spent checking DH q parameter value
SEVERITY: Low
Fixed: OpenSSL 1.0.2zj
-------------------------
CVE-2023-3446 Excessive time spent checking DH keys and parameters
SEVERITY: Low
Fixed: OpenSSL 1.0.2zj
=========================
Upgrade OpenSSL on Siteminder Access Gateway servers to OpenSSL 1.0.2zj
NOTE: OpenSSL 1.0.2zj for Access Gateway on WINDOWS has version specific updates for OpenSSL 1.0.2zj
r12.8.6 and Higher on Windows: openssl102zj_win64_12806_and_above.zip
r12.8.5 and Lower on Windows: openssl_102zj_windows_12805_andBelow.zip
The following upgrade binaries are attached at the bottom of this KB:
openssl102zj_win64_12806_and_above.zip
openssl102zj_linux.zip
###### UPGRADE INSTRUCTIONS ######
---------------------------------------------------
OpenSSL 1.0.2zj on Linux Installation Instructions
---------------------------------------------------
1) Copy "openssl102zj_linux.zip" to the Access Gateway Server
2) Unzip "openssl102zj_linux.zip"
Unzip openssl102zj_linux.zip
3) Stop the Access Gateway Server.
4) Navigate to the '<InstallDir>/CA/secure-proxy/' directory.
5) Note the permissions on the contents of the '<InstallDir>/CA/secure-proxy/SSL/bin' directory.
6) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/bin' directory, or the following files:
<InstallDir>/CA/secure-proxy/SSL/bin/c_rehash
<InstallDir>/CA/secure-proxy/SSL/bin/openssl
7) Copy the contents of the '/openssl102zj_linux/SSL/bin/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/bin/ directory.
CONTENTS:
openssl
EXAMPLE: cp -r /openssl102zj_linux/SSL/bin/* /<InstallDir>/CA/secure-proxy/SSL/bin/
8) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/lib/' directory, or the following files:
<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so
<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so.1.0.0
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so.1.0.0
9) Copy the contents of the '/openssl102zj_linux/SSL/lib/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/lib/' directory.
CONTENTS:
libcrypto.so
libcrypto.so.1.0.0
libssl.so
libssl.so.1.0.0
EXAMPLE: cp -r /openssl102zj_linux/SSL/lib/* ./<InstallDir>/CA/secure-proxy/SSL/lib/
10) Re-set the permissions on the copied files.
11) Re-source the environment variables;
. ./ca_sps_env.sh
13) Re-start the Access Gateway.
./proxy-engine/sps-ctl start
---------------------------------------------------
OpenSSL 1.0.2zj Windows Installation Instructions
---------------------------------------------------
NOTE: OpenSSL 1.0.2zj for Access Gateway on WINDOWS applies to Access Gateway 12.8.6 and higher.
1) Copy "openssl102zj_win64_12806_and_above.zip" to the Access Gateway Server
2) Unzip "openssl102zj_win64_12806_and_above.zip"
3) Stop the Access Gateway server
4) Browse to the "<Install_Dir>\CA\secure-proxy\SSL\bin\" directory in Access Gateway
Default: <Install_Dir> = C:\Program Files\
5) Back-up either the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory, or the following files:
<Install_Dir>\CA\secure-proxy\SSL\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\SSL\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\SSL\bin\ssleay32.dll
6) Copy the contents of '\openssl_1.0.2zi_win64_12806_and_above_1695394819364\SSL\bin\' folder to the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory.
CONTENTS:
openssl.exe
libeay32.dll
ssleay32.dll
7) Back-up either the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory, or the following files:
<Install_Dir>\CA\secure-proxy\httpd\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\httpd\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\httpd\bin\ssleay32.dll
8) Copy the contents of '\openssl_1.0.2zi_win64_12806_and_above_1695394819364\SSL\bin\' folder to the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory.
CONTENTS:
openssl.exe
libeay32.dll
ssleay32.dll
9) Start the Access Gateway server
OpenSSL 1.0.2zi remediates the following CVE's:
CVE-2024-0727
CVE-2023-5678
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-0465
CVE-2023-0466
CVE-2023-0464
CVE-2023-0286
CVE-2023-0215
CVE-2022-4304
CVE-2022-2068
CVE-2022-1292
CVE-2022-0778
CVE-2021-4160
CVE-2021-3712
CVE-2021-23841
CVE-2021-23840
CVE-2021-23839
CVE-2020-1971
CVE-2020-1968
CVE-2019-1551
CVE-2019-1563
CVE-2019-1547
CVE-2019-1552
CVE-2019-1559