A security scan may flag the following Bouncy Castle for Java file (bc-fips-1.0.2.4 or older) on Siteminder r12.9 or older Policy Server.

/<Install_Dir>/CA/siteminder/bin/thirdparty/bc-fips-1.0.2.4.jar

PRODUCT: Symantec Siteminder

COMPONENT: Policy Server

VERSION: r12.9 and older

OPERATING SYSTEM: Windows and Linux

CVE-2025-8885

DESCRIPTION:  Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcprov, bc-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java.

IMPACTED: Bouncy Castle for Java

BC 1.0 through 1.77
BC-FJA 1.0.0 through 1.0.2.5
BC-FJA 2.0.0 through 2.0.0

REMEDIATED:  Bouncy Castle for Java 1.0.2.6

Upgrade Bouncy Castle for Java on the Siteminder Policy Server r12.9 and older to Bouncy Castle 1.0.2.6

1) Logon to the Siteminder Policy Server

2) Stop the Siteminder Policy Server

3) Back-up the existing "bc-fips-1.0.2.4.jar" or older (example: bc-fips-1.0.1.jar)

EXAMPLE:

# cd <Install_Dir>/CA/siteminder/bin/thirdparty/
# mv bc-fips-1.0.2.4.jar bc-fips-1.0.2.4.jar.BAK

4) Copy 'bc-fips-1.0.2.6.jar.' from this KB to the Siteminder Policy Server.

5) Place the updated 'bc-fips-1.0.2.6.jar' in the following directories

/<Install_Dir>/CA/siteminder/bin/thirdparty/bc-fips-1.0.2.4.jar

6) Start the Siteminder Policy Server and verify functionality

7) Delete the following files

<Install_Dir>/CA/siteminder/bin/thirdparty/bc-fips-1.0.2.4.jar.BAK

8) Modify the 'jvmoptions.txt' file by adding/modifying the path and file version for 'bc-fips-1.0.2.6.jar in the 'Djava.class.path'.

EXAMPLE: -Djava.class.path=<existing_entries>:/<Install_Dir>/CA/siteminder/bin/thirdparty/bc-fips-1.0.2.6.jar