Vulnerability in CAPKI 5 on Siteminder Web Agents
search cancel

Vulnerability in CAPKI 5 on Siteminder Web Agents

book

Article ID: 408321

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

A security scan may return a flag for the following files on a Siteminder r12.52 SP01 CR11 Web Agent installation:

LINUX

/<Install_Dir>/CA/webagent/CAPKI/CAPKI5/Linux/amd64/64/lib/libcaopenssl_ssl.so
/<Install_Dir>/CA/webagent/CAPKI/CAPKI5/Linux/amd64/64/lib/libcaopenssl_crypto.so

WINDOWS

<Drive>:\<Install_Dir>\CA\webagent\win64\etpki-install\CAPKI5\Windows\amd64\64\lib\libcaopenssl_ssl.so
<Drive>:\<Install_Dir>\CA\webagent\win64\etpki-install\CAPKI5\Windows\amd64\64\lib\libcaopenssl_crypto.so

CAPKI (Previously known as ETPKI) is a C language-based Software Development Kit (SDK) that provides CA Development Community with features required to implement Information Security services in its products.  CAPKI is a wrapper on OpenSSL which is robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

Environment

PRODUCT: Symantec Siteminder

COMPONENT: Web Agent

VERSION: r12.52 SP1 cr11 and older; r12.8

OPERATING SYSTEM:  Windows and Linux

Cause

CAPKI (Previously known as ETPKI) is a wrapper on OpenSSL.  The Siteminder Web Agents ship with the following versions of CAPKI 5:

Siteminder r12.52. SP01 cr11 Web Agent: CAPKI 5.1.0-00

Siteminder r12.8 Web Agent: CAPKI 5.2.9-00

 

CAPKI 5.2.9-15 and older are compiled with an older version of OpenSSL 1.0.2 for which a number of vulnerabilities (CVE's) have been published.

 

Resolution

CAPKI 5.2.16 has been compiled with OpenSSL 1.0.2ZL.   Upgrade CAPKI to CAPKI 5.2.16 on the Siteminder Web Agent.

 

LINUX

1) Download "etpki-install_5216_rhel.zip" from this KB.

2) Copy  "etpki-install_5216_rhel.zip" to the Linux web server and decompress it.

3) Stop the Web Server

4) Change to the following directory:

/<Install_Dir>/CA/webagent/

5) Backup the '/CAPKI/' directory by renaming it '/CAPKI.BAK'

mv CAPKI CAPKI.BAK

6) Copy the '/etpki-install/' directory from "etpki-install_5216_rhel.zip" to /<Install_Dir>/CA/webagent/

7) Change to the following directory:

/<Install_Dir>/CA/SharedComponents/

8) (If Exists) Backup the '/CAPKI/' directory by renaming it '/CAPKI.BAK'

mv CAPKI CAPKI.BAK

9) Modify the $CAPKIHOME variable in the environment variable script:

/<Install_Dir>/CA/webagent/ca_wa_env.sh

CAPKIHOME=/<Install_Dir>/CA/SharedComponents/CAPKI
export CAPKIHOME

10) Run the updated web agent environment variable script.

cd /<Install_Dir>/CA/webagent/

. ./ca_wa_env.sh

10) Change to the following directory:

/<Install_Dir>/CA/webagent/etpki-install/redist/

11) Run the following command:

./setup install caller=wa12

NOTE: This will create a new '/<Install_Dir>/CA/SharedComponents/CAPKI/CAPKI5/' directory

12) Start the Web Server/Web Agent

13) Validate web agent functionality

14) Delete the following files:

/<Install_Dir>/CA/webagent/CAPKI.BAK

/<Install_Dir>/CA/SharedComponents/CAPKI.BAK

WINDOWS

1) Download "etpki-install_5216_win64bit.zip" from this KB.

2) Copy  "etpki-install_5216_win64bit.zip" to the Windows web server and decompress it.

3) Stop the Web Server

4) Change to the following directory:

<Drive>:\<Install_Dir>\CA\webagent\win64\

5) Backup the '\etpki-install\' directory by renaming it '\etpki-install.BAK\'

ren etpki-install etpki-install.BAK

6) Copy the '/etpki-install/' directory from "etpki-install_5216_win64bit.zip" to <Drive>:\<Install_Dir>\CA\webagent\win64\

7) Change to the following directory:

<Drive>:\<Install_Dir>\CA\SC\

8) (If Exists) Backup the '\CAPKI\' directory by renaming it '\CAPKI.BAK\'

ren CAPKI CAPKI.BAK

9) Open a command prompt using cmd.exe as an administrator (Run As Administrator)

10) Change to the following directory:

<Drive>:\<Install_Dir>\CA\webagent\win64\etpki-install\redist\

11) Run the following command:

setup.exe install caller=wa12

NOTE: This will create a new '<Drive>:\<Install_Dir>\CA\SC\CAPKI\CAPKI5\' directory

12) Start the Web Server/Web Agent

13) Validate web agent functionality

14) Delete the following files:

<Drive>:\<Install_Dir>\CA\webagent\win64\etpki-install.BAK

<Drive>:\<Install_Dir>\CA\SC\CAPKI.BAK

Additional Information

Vulnerability in CAPKI 5 on Siteminder Web Agents

Vulnerability in CAPKI 5 on Siteminder Sharepoint Agent r12.8.x

Vulnerability in CAPKI 5 on Siteminder Policy Server r12.8.8.1 and older

Vulnerability in CAPKI 5 on Siteminder Access Gateway Server r12.8.8.1 and Older

OpenSSL 1.0.2 Vulnerabilities

OpenSSL 1.0.2zl remediates the following CVE's:

CVE-2024-13176
CVE-2024-9143
CVE-2024-5535
CVE-2024-0727
CVE-2023-5678
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-0465
CVE-2023-0466
CVE-2023-0464
CVE-2023-0286
CVE-2023-0215
CVE-2022-4304
CVE-2022-2068
CVE-2022-1292
CVE-2022-0778
CVE-2021-4160
CVE-2021-3712
CVE-2021-23841
CVE-2021-23840
CVE-2021-23839
CVE-2020-1971
CVE-2020-1968
CVE-2019-1551
CVE-2019-1563
CVE-2019-1547
CVE-2019-1552
CVE-2019-1559

Attachments

etpki-install_5216_win64bit.zip get_app
etpki-install_5216_rhel.zip get_app
Powered by Wolken Software