OpenSSL Vulnerabilities CVE-2024-5535 CVE-2024-0727 CVE-2023-5678 in SPS
search cancel

OpenSSL Vulnerabilities CVE-2024-5535 CVE-2024-0727 CVE-2023-5678 in SPS

book

Article ID: 374656

calendar_today

Updated On:

Products

CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction


Running CA Access Gateway (SPS), the following vulnerabilities have been found in the OpenSSL version the CA Access Gateway (SPS) runs:

  • CVE-2024-5535
  • CVE-2024-0727
  • CVE-2023-5678

 

Resolution


The CA Access Gateway (SPS) 12.8SP8CR01 is not vulnerable to these 3 vulnerabilities.

 

CVE-2024-5535

 

About the vulnerability CVE-2024-5535, the CA Access Gateway (SPS) is not calling the function SSL_select_next_proto while establishment the SSL connection.

The CA Access Gateway (SPS) is also not using the http2 functionality. Thus, the CVE CVE-2024-5535 does not have impact on the module CA Access Gateway (SPS).

Finally, it's a low severity, and it doesn't affect OpenSSL version 3 (1).

The OpenSSL will be updated to 3.x.x in the 12.8SP9 release.

 

CVE-2024-0727 CVE-2023-5678

 

Regarding the vulnerabilities CVE-2024-0727 and CVE-2023-5678, the recommendation is to upgrade OpenSSL to version 1.0.2zj (2).

The CA Access Gateway (SPS) version 12.8SP8CR01 has already that version:

      # /{home_SPS}/SSL/bin/openssl version
      WARNING: can't open config file: /tmp/openssl-1.0.2zj/Release/ssl/openssl.cnf
      OpenSSL 1.0.2zj-fips  30 Jan 2024

      # cat /{home_SPS}/install_config_info/ca-sps-version.info
      Product Name=Access Gateway
      FullVersion=12.80.0801.3003
      Version=12.80
      Update=0801
      Build Number=3003
      Location=/opt/CA/secure-proxy
      InstanceName=default

Upgrade the CA Access Gateway (SPS) to 12.8SP8CR01 to get the OpenSSL 1.0.2zj out of the box (3).

 

Additional Information

Powered by Wolken Software