Vulnerabilities in OpenSSL 1.0.2zk and Older on Siteminder Access Gateway r12.8.x
search cancel

Vulnerabilities in OpenSSL 1.0.2zk and Older on Siteminder Access Gateway r12.8.x

book

Article ID: 385668

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction

Vulnerabilities with OpenSSL 1.0.2zk and older on Symantec Siteminder Access Gateway r12.8.x have been published.

Symantec Siteminder Access Gateway bundles OpenSSL 1.0.2 with all versions of r12.8.x

r12.8.0:     OpenSSL 1.0.2q
r12.8.1:     OpenSSL 1.0.2q
r12.8.2:     OpenSSL 1.0.2q
r12.8.3:     OpenSSL 1.0.2r
r12.8.4:     OpenSSL 1.0.2u
r12.8.5:     OpenSSL 1.0.2x
r12.8.6:     OpenSSL 1.0.2za
r12.8.6a:   OpenSSL 1.0.2za
r12.8.7:     OpenSSL 1.0.2zf
r12.8.8:     OpenSSL 1.0.2zi
r12.8.8.1:  OpenSSL 1.0.2zj

 

KB  274048 delivers OpenSSL 1.0.2zi
KB  280151 delivers OpenSSL 1.0.2zj

Environment

PRODUCT: Siteminder

COMPONENT: Access Gateway 

OPERATING SYSTEM: ANY

VERSION: 12.8.8.1 and older

Cause

The following CVE's have been published since OpenSSL 1.0.2zj:

CVE-2024-13176 "Timing side-channel in ECDSA signature computation"

SEVERITY: Low
IMPACTED: OpenSSL 1.0.2 - 1.0.2zK

CVE-2024-9143 "Low-level invalid GF(2^m) parameters lead to OOB memory access"

SEVERITY: Low
IMPACTED: OpenSSL 1.0.2 - 1.0.2zk

CVE-2024-5535 "SSL_select_next_proto buffer overread"

SEVERITY: Low
IMPACTED: OpenSSL 1.0.2 - 1.0.2zj

 

Resolution

Upgrade OpenSSL on Siteminder Access Gateway servers to OpenSSL 1.0.2zl.  

The solution provided is OpenSSL 1.0.2zk with the 1.0.2zl fix compiled into it.  The version will appear as [OpenSSL 1.0.2zk-fips-sl-u1  xx XXX xxxx]

 

###### UPGRADE INSTRUCTIONS ######

---------------------------------------------------
OpenSSL 1.0.2zl on Linux Installation Instructions
---------------------------------------------------

1) Copy "openssl-1.0.2zk-sl-u1-linux-x86_64.zip" to the Access Gateway Server

2) Unzip "openssl-1.0.2zk-sl-u1-linux-x86_64.zip"

Unzip openssl-1.0.2zk-sl-u1-linux-x86_64.zip

3) Stop the Access Gateway Server.

4) Navigate to the '<InstallDir>/CA/secure-proxy/' directory.

5) Note the permissions on the contents of the '<InstallDir>/CA/secure-proxy/SSL/bin' directory.

6) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/bin' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/bin/c_rehash
<InstallDir>/CA/secure-proxy/SSL/bin/openssl

7) Copy the contents of the '/openssl-1.0.2zk-sl-u1-linux-x86_64/SSL/bin/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/bin/ directory.

CONTENTS:

openssl

EXAMPLE: cp -r /openssl-1.0.2zk-sl-u1-linux-x86_64/SSL/bin/* /<InstallDir>/CA/secure-proxy/SSL/bin/

8) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/lib/' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so
<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so.1.0.0
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so.1.0.0

9) Copy the contents of the '/openssl-1.0.2zk-sl-u1-linux-x86_64/SSL/lib/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/lib/' directory.

CONTENTS:

libcrypto.so
libcrypto.so.1.0.0
libssl.so
libssl.so.1.0.0

EXAMPLE: cp -r /openssl-1.0.2zk-sl-u1-linux-x86_64/SSL/lib/* ./<InstallDir>/CA/secure-proxy/SSL/lib/

10) Re-set the permissions on the copied files.

11) Re-source the environment variables;

. ./ca_sps_env.sh

13) Re-start the Access Gateway.

./proxy-engine/sps-ctl start

 


---------------------------------------------------
OpenSSL 1.0.2zl Windows Installation Instructions
---------------------------------------------------

NOTE: OpenSSL 1.0.2zl for Access Gateway on WINDOWS applies to Access Gateway 12.8.6 and higher.

1) Copy "openssl-1.0.2zk-sl-u1-win64.zip" to the Access Gateway Server

2) Unzip "openssl-1.0.2zk-sl-u1-win64.zip"

3) Stop the Access Gateway server

4) Browse to the "<Install_Dir>\CA\secure-proxy\SSL\bin\" directory in Access Gateway

Default: <Install_Dir> = C:\Program Files\

5) Back-up either the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory, or the following files:

<Install_Dir>\CA\secure-proxy\SSL\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\SSL\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\SSL\bin\ssleay32.dll

6) Copy the contents of '\openssl-1.0.2zk-sl-u1-win64\SSL\bin\' folder to the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory.

CONTENTS:

openssl.exe
libeay32.dll
ssleay32.dll

7) Back-up either the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory, or the following files:

<Install_Dir>\CA\secure-proxy\httpd\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\httpd\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\httpd\bin\ssleay32.dll

8) Copy the contents of '\openssl-1.0.2zk-sl-u1-win64\SSL\bin\' folder to the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory.

CONTENTS:

openssl.exe
libeay32.dll
ssleay32.dll

9) Start the Access Gateway server

Additional Information

OpenSSL 1.0.2 Vulnerabilities

OpenSSL 1.0.2zl remediates the following CVE's:

CVE-2024-13176
CVE-2024-9143
CVE-2024-5535
CVE-2024-0727
CVE-2023-5678
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-0465
CVE-2023-0466
CVE-2023-0464
CVE-2023-0286
CVE-2023-0215
CVE-2022-4304
CVE-2022-2068
CVE-2022-1292
CVE-2022-0778
CVE-2021-4160
CVE-2021-3712
CVE-2021-23841
CVE-2021-23840
CVE-2021-23839
CVE-2020-1971
CVE-2020-1968
CVE-2019-1551
CVE-2019-1563
CVE-2019-1547
CVE-2019-1552
CVE-2019-1559

Attachments

openssl-1.0.2zk-sl-u1-win64.zip get_app
openssl-1.0.2zk-sl-u1-linux-x86_64.zip get_app
Powered by Wolken Software