The Siteminder Policy Server ships with the CAPKI (p.k.a ETPKI). This is in order for the Policy Server to encrypt the Policy Server to agent communication, as well as to support FIPS. OpenSSL is bundled with the CAPKI. The version of OpenSSL varies with Siteminder release.
r12.8.6a: OpenSSL 1.0.2za
r12.8.7: OpenSSL 1.0.2ze-fips
r12.8.8: OpenSSL 1.0.2zg-fips
r12.8.8.1: OpenSSL 1.0.2zj-fips
PRODUCT: Siteminder
COMPONENT: Policy Server
VERSION: 12.8.8.1 and older
Please use the attached CAPKI 5_2_15 with openssl 1.0.2zk to remediate this vulnerability.
Please follow the below steps as indicated
Windows
1) Stop the Policy Server
2) Take the backup of the following directories
<Install_Dir>\CA\siteminder\etpki-install
<Install_Dir>\CA\SC\CAPKI
3) Copy "etpki-install_5_2_15_win64.zip" to the Policy Server
4) Unzip "etpki-install_5_2_15_win64.zip"
5) Copy the new "<Install_Dir>\etpki-install_5_2_15_win64\etpki-install" directory to "<Install_Dir>\CA\siteminder\", overwriting the original directory and sub-directories.
5) Using Windows File Explorer, browse to "<Install_Dir>\CA\siteminder\etpki-install"
6) Run the following executable with elevated permissions (i.e. Run As Administrator):
setup.exe install caller=ps12
NOTE: This will install in <Install_Dir>\CA\SC\CAPKI
7) Start the Policy Server
Linux
1) Stop the Policy Server
2) Take the backup of the following directories
<Install_Dir>/CA/siteminder/etpki-install
<Install_Dir>/CA/SharedComponents/CAPKI (in case it exists in your system)
3) Copy "etpki-install_5_2_15_linux.zip" to the Policy Server
4) Unzip "etpki-install_5_2_15_linux.zip"
5) Copy the new "<Install_Dir>/etpki-install_5_2_15_linux/etpki-install" directory to "<Install_Dir>/CA/siteminder/", overwriting the original directory and sub-directories.
6) Go to "<Install_Dir>/CA/siteminder/etpki-install/redistrib/"
7) Run the following commands:
export CAPKIHOME=/opt/CA/SharedComponents/CAPKI
./setup install caller=ps12
NOTE: A new CAPKI5 folder is created in path /opt/CA/SharedComponents/CAPKI/. If the directory did not exist prior to CAPKI upgrade, it will be created as a result of the patch installation. This is expected behaviour. Following installation an updated CAPKI5 will be created which needs to be copied to the corresponding SiteMinder directory.
8) Copy the New CAPKI5 from /opt/CA/SharedComponents/CAPKI/ to <Install_Dir>/CA/siteminder/CAPKI/
9) Start the Policy Server
OpenSSL 1.0.2zl remediates the following CVE's:
CVE-2024-5535
CVE-2024-0727
CVE-2023-5678
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-0465
CVE-2023-0466
CVE-2023-0464
CVE-2023-0286
CVE-2023-0215
CVE-2022-4304
CVE-2022-2068
CVE-2022-1292
CVE-2022-0778
CVE-2021-4160
CVE-2021-3712
CVE-2021-23841
CVE-2021-23840
CVE-2021-23839
CVE-2020-1971
CVE-2020-1968
CVE-2019-1551
CVE-2019-1563
CVE-2019-1547
CVE-2019-1552
CVE-2019-1559