Vulnerabilities in OpenSSL 1.0.2zk and Older on Siteminder Sharepoint Agent r12.8.x
Article ID: 408072
Updated On:
Products
Issue/Introduction
Siteminder Sharepoint Agent ships with OpenSSL 1.0.2. There have been a number of vulnerabilities published for various versions of OpenSSL.
Environment
PRODUCT: Siteminder
COMPONENT: Sharepoint Agent
OPERATING SYSTEM: ANY
VERSION: 12.8.7 & 12.8.8
Cause
The following CVE's have been published since OpenSSL 1.0.2zj:
CVE-2024-13176 "Timing side-channel in ECDSA signature computation"
SEVERITY: Low
DESCRIPTION: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency.
IMPACTED: OpenSSL 1.0.2 - 1.0.2zk
REMEDIATED: OpenSSL 1.0.2ZL
CVE-2024-9143 "Low-level invalid GF(2^m) parameters lead to OOB memory access"
SEVERITY: Low
DESCRIPTION: Out of bound memory writes can lead to an application crash or even a possibility of a remote code execution, however, in all the protocols involving Elliptic Curve Cryptography that we’re aware of, either only “named curves” are supported, or, if explicit curve parameters are supported, they specify an X9.62 encoding of binary (GF(2^m)) curves that can’t represent problematic input values. Thus the likelihood of existence of a vulnerable application is low.
IMPACTED: OpenSSL 1.0.2 - 1.0.2zk
REMEDIATED: OpenSSL 1.0.2ZL
CVE-2024-5535 "SSL_select_next_proto buffer overread"
SEVERITY: Low
DESCRIPTION: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application.
IMPACTED: OpenSSL 1.0.2 - 1.0.2zk
REMEDIATED: OpenSSL 1.0.2ZL
Resolution
How to Verify the version of OpenSSL Installed on the Siteminder Sharepoint Agent
The solution provided is OpenSSL 1.0.2zk with the 1.0.2ZL fix compiled into it. The version will appear as [OpenSSL 1.0.2zk-fips-sl-u1 xx XXX xxxx]
###### UPGRADE INSTRUCTIONS ######
LINUX
1) Copy "openssl-1.0.2ZL-Linux.zip" to the Sharepoint Agent Server
2) Unzip "openssl-1.0.2ZL-Linux.zip"
Unzip openssl-1.0.2ZL-Linux.zip
3) Stop the Sharepoint Agent Server.
4) Navigate to the '<InstallDir>/CA/Agent-for-SharePoint/' directory.
5) Note the permissions on the contents of the '<InstallDir>/CA/Agent-for-SharePoint/SSL/bin' directory.
6) Backup either the entire '<InstallDir>/CA/Agent-for-SharePoint/SSL/bin' directory, or the following files:
<InstallDir>/CA/secure-proxy/SSL/bin/c_rehash
<InstallDir>/CA/secure-proxy/SSL/bin/openssl
7) Copy the contents of the '/openssl102zl_linux/bin/' folder to the '/<Intall_Dir>/CA/Agent-for-SharePoint/SSL/bin/ directory.
CONTENTS:
openssl
EXAMPLE: cp -r /openssl102zl_linux/bin/* /<InstallDir>/CA/Agent-for-SharePoint/SSL/bin/
8) Backup either the entire '<InstallDir>/CA/Agent-for-SharePoint/SSL/lib/' directory, or the following files:
<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so
<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so.1.0.0
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so.1.0.0
9) Copy the contents of the '/openssl102zl_linux/lib/' folder to the '/<Intall_Dir>/CA/Agent-for-SharePoint/SSL/lib/' directory.
CONTENTS:
libcrypto.so
libcrypto.so.1.0.0
libssl.so
libssl.so.1.0.0
EXAMPLE: cp -r /openssl102zl_linux/lib/* ./<InstallDir>/CA/Agent-for-SharePoint/SSL/lib/
10) Re-set the permissions on the copied files.
11) Re-source the environment variables;
. ./ca_sps_env.sh
13) Re-start the Sharepoint Agent.
./proxy-engine/sps-ctl start
WINDOWS
1) Copy "openssl-1.0.2ZL-Windows.zip" to the Sharepoint Agent Server
2) Unzip "openssl-1.0.2ZL-Windows.zip"
3) Stop the Sharepoint Agent server
4) Browse to the "<Install_Dir>\CA\Agent-for-SharePoint\SSL\bin\" directory in Sharepoint Agent
Default: <Install_Dir> = C:\Program Files\
5) Back-up either the '<Install_Dir>\CA\Agent-for-SharePoint\SSL\bin\' directory, or the following files:
<Install_Dir>\CA\secure-proxy\SSL\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\SSL\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\SSL\bin\ssleay32.dll
6) Copy the contents of '\openssl102zl_win64\bin\' folder to the '<Install_Dir>\CA\Agent-for-SharePoint\SSL\bin\' directory.
CONTENTS:
openssl.exe
libeay32.dll
ssleay32.dll
7) Back-up either the '<Install_Dir>\CA\Agent-for-SharePoint\httpd\bin\' directory, or the following files:
<Install_Dir>\CA\secure-proxy\httpd\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\httpd\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\httpd\bin\ssleay32.dll
8) Copy the contents of '\openssl102zl_win64\bin\' folder to the '<Install_Dir>\CA\Agent-for-SharePoint\httpd\bin\' directory.
CONTENTS:
openssl.exe
libeay32.dll
ssleay32.dll
9) Start the Sharepoint Agent server
Additional Information
KB406508: How to Verify the version of OpenSSL Installed on the Siteminder Sharepoint Agent
Vulnerabilities in OpenSSL 1.0.2zk and Older on Siteminder Access Gateway r12.8.x
OpenSSL 1.0.2zl remediates the following CVE's:
CVE-2024-13176
CVE-2024-9143
CVE-2024-5535
CVE-2024-0727
CVE-2023-5678
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-0465
CVE-2023-0466
CVE-2023-0464
CVE-2023-0286
CVE-2023-0215
CVE-2022-4304
CVE-2022-2068
CVE-2022-1292
CVE-2022-0778
CVE-2021-4160
CVE-2021-3712
CVE-2021-23841
CVE-2021-23840
CVE-2021-23839
CVE-2020-1971
CVE-2020-1968
CVE-2019-1551
CVE-2019-1563
CVE-2019-1547
CVE-2019-1552
CVE-2019-1559
Attachments
Feedback
