Siteminder Access Gateway ships bundled with an instance of Apache HTTP Server.  The following is a list of Apache HTTP Server versions by Siteminder Access Gateway version:

Access Gateway r12.8.7:     Apache HTTP Server 2.4.54
Access Gateway r12.8.8:     Apache HTTP Server 2.4.58
Access Gateway r12.8.8.1:  Apache HTTP Server 2.4.58

KB282288 (archived) delivered Apache 2.4.59
KB373899 (archived) delivered Apache 2.4.62
KB406240 (archived) delivered Apache 2.4.64

A number of Common Vulnerabilities and Exposures (CVE's) published for Apache HTTPS Server 2.4.64 and older.  These CVE's are remediated in Apache HTTP Server 2.4.65.

NOTE: This KB applies to Siteminder Access Gateway r12.8.8.1 and OLDER.  For Apache HTTP Server on Siteminder Access Gateway r12.9, see the following KB:

Vulnerability in Apache 2.4.64 and older in Siteminder Access Gateway r12.9

CVE-2025-54090: 'RewriteCond expr' always evaluates to true in 2.4.64

SEVERITY: Moderate

DESCRIPTION: A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true".

IMPACTED: 2.4.64

REMEDIATED: 2.4.65

CVE-2024-42516: HTTP response splitting

SEVERITY: Moderate

DESCRIPTION: HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response.

IMPACTED: 2.4.0 - 2.4.63

REMEDIATED: 2.4.64

CVE-2024-43204: SSRF with mod_headers setting Content-Type header

SEVERITY: Low

DESCRIPTION: SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request.

IMPACTED: 2.4.0 - 2.4.63

REMEDIATED: 2.4.64

CVE-2024-43394: SSRF on Windows due to UNC paths

SEVERITY: Moderate

DESCRIPTION: Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via mod_rewrite or apache expressions that pass unvalidated request input.

IMPACTED: 2.4.0 - 2.4.63

REMEDIATED: 2.4.64

CVE-2024-47252: mod_ssl error log variable escaping

SEVERITY: Low

DESCRIPTION: Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations.

In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.

IMPACTED: 2.4.0 - 2.4.63

REMEDIATED: 2.4.64

CVE-2025-23048: mod_ssl access control bypass with session resumption

SEVERITY: Moderate

DESCRIPTION: In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.62, an access control bypass by trusted clients is possible using TLS 1.3 session resumption.

Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.

IMPACTED: 2.4.35 - 2.4.63

REMEDIATED: 2.4.64

CVE-2025-49630: mod_proxy_http2 denial of service

SEVERITY: Low

DESCRIPTION: In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2.

Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2.

Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

IMPACTED: 2.4.26 - 2.4.63

REMEDIATED: 2.4.64

CVE-2025-49812: mod_ssl TLS upgrade attack

SEVERITY: Moderate

DESCRIPTION: In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.

Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

IMPACTED: 1.0 - 2.4.63

REMEDIATED: 2.4.64

CVE-2025-53020: HTTP/2 DoS by Memory Increase

SEVERITY: Moderate

DESCRIPTION: Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server.

IMPACTED: 2.4.17 - 2.4.63

REMEDIATED: 2.4.64

NOTE: This KB provides Apache HTTP Server 2.4.64 for Access Gateway Servers r12.8.8.1 and Older ONLY.

This KB is not to be used for Siteminder Access Gateway r12.9.

Apache HTTP Web Server 2.4.x is tied to OpenSSL.  Siteminder Access Gateway r12.8.8.1 and older are bundled with OpenSSL 1.0.2, while Access Gateway r12.9 is bundled with OpenSSL 3.0.15.  

This KB provides Apache HTTP Server 2.4.64 for Access Gateway Servers r12.8.8.1 and Older ONLY  This KB is not to be used for Siteminder Access Gateway r12.9.  For Apache HTTP Server on Siteminder Access Gateway r12.9, see the following KB:

Vulnerability in Apache 2.4.64 and older in Siteminder Access Gateway r12.9

How to Verify the version of Apache HTTP Server Installed on Siteminder Access Gateway

WINDOWS

1. Stop the running Access Gateway Server

2. Using File Explorer, navigate to the Access Gateway installation directory

Default: <Install_Dir>\CA\secure-proxy\

3. Back-up the original '\httpd' directory <httpd_orig>

<Install_Dir>\CA\secure-proxy\httpd

4. Unzip the attached "httpd_2465_win64_128801andBelow.zip" and copy the 'httpd' folder to <Install_Dir>\CA\secure-proxy\

5. Copy the the '\conf' directory from the original  "<httpd_orig>\conf"  into  <Install_Dir>\CA\secure-proxy\httpd\

6. Copy the the 'configssl.bat' file from the original  "<httpd_orig>\bin"  into  <Install_Dir>\CA\secure-proxy\httpd\bin

8. Upgrade to OpenSSL 1.0.2zl as per KB385668: Vulnerabilities in OpenSSL 1.0.2zk and Older on Siteminder Access Gateway r12.8.x

9. Start the Access Gateway Server.

LINUX

1. Stop the running Access Gateway Server

2. Navigate to the Access Gateway installation directory 

Default: <Install_Dir>/CA/secure-proxy/

3. Back-up the original '/httpd' directory <httpd_orig>

<Install_Dir>/CA/secure-proxy/httpd

EXAMPLE: cp -R <Install_Dir>/CA/secure-proxy/httpd/ <Install_Dir>/CA/secure-proxy/httpd_orig/

4. Unzip the attached 'httpd_2465_linux_1280801andBelow.zip' file and copy the '/httpd' folder to <Install_Dir>/CA/secure-proxy/

5. Copy the following files from the original  <httpd_orig>  into  <Install_Dir>/CA/secure-proxy/httpd/

cp -r httpd_orig/conf  httpd/
cp httpd_orig/bin/apachectl httpd/bin/
cp httpd_orig/bin/apr-1-config  httpd/bin/
cp httpd_orig/bin/apu-1-config httpd/bin/
cp httpd_orig/bin/apxs httpd/bin/
cp httpd_orig/bin/envvars httpd/bin/
cp httpd_orig/bin/envvars-std  httpd/bin/

6. Upgrade to OpenSSL 1.0.2zl as per KB385668: Vulnerabilities in OpenSSL 1.0.2zk and Older on Siteminder Access Gateway r12.8.x

7. Start the Access Gateway Server.