Vulnerability in CAPKI 5.2.16 and older on Siteminder Web Agents
search cancel

Vulnerability in CAPKI 5.2.16 and older on Siteminder Web Agents

book

Article ID: 427887

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

A security scan may return a flag for the following files on a Siteminder r12.52 SP01 CR11 Web Agent installation:

LINUX

/<Install_Dir>/CA/webagent/CAPKI/CAPKI5/Linux/amd64/64/lib/libcaopenssl_ssl.so
/<Install_Dir>/CA/webagent/CAPKI/CAPKI5/Linux/amd64/64/lib/libcaopenssl_crypto.so

WINDOWS

<Drive>:\<Install_Dir>\CA\webagent\win64\etpki-install\CAPKI5\Windows\amd64\64\lib\libcaopenssl_ssl.so
<Drive>:\<Install_Dir>\CA\webagent\win64\etpki-install\CAPKI5\Windows\amd64\64\lib\libcaopenssl_crypto.so

CAPKI (Previously known as ETPKI) is a C language-based Software Development Kit (SDK) that provides CA Development Community with features required to implement Information Security services in its products.  CAPKI is a wrapper on OpenSSL which is robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

Environment

PRODUCT: Symantec Siteminder

COMPONENT: Web Agent

VERSION: r12.52 SP1 cr11 and older; r12.8

OPERATING SYSTEM:  Windows and Linux

Cause

CAPKI (Previously known as ETPKI) is a wrapper on OpenSSL.  The Siteminder Web Agents ship with the following versions of CAPKI 5:

Siteminder Web Agent r12.52. SP01 cr11: CAPKI 5.1.0-00

Siteminder r12.8 Web Agent: CAPKI 5.2.9-00

         KB408321 (archived) delivered CAPKI 5.2.16

CAPKI 5.2.16 and older are compiled with an older version of OpenSSL 1.0.2 for which a number of vulnerabilities (CVE's) have been published.

Resolution

This solution applies to the following Siteminder web agents:

  • r12.52 SP01 cr11 and older
  • r12.8

CAPKI 5.2.17 has been compiled with OpenSSL 1.0.2ZM.   Upgrade CAPKI to CAPKI 5.2.17 on the Siteminder Web Agent.

 

LINUX

1) Download "etpki-install_5_2_17_openssl102zm_linux.zip" from this KB.

2) Copy  "etpki-install_5_2_17_openssl102zm_linux.zip" to the Linux web server and decompress it.

3) Stop the Web Server

4) Change to the following directory:

/<Install_Dir>/CA/webagent/

5) Backup the '/CAPKI/' directory by renaming it '/CAPKI.BAK'

mv CAPKI CAPKI.BAK

6) Copy the '/etpki-install/' directory from "etpki-install_5_2_17_openssl102zm_linux.zip" to /<Install_Dir>/CA/webagent/

7) Change to the following directory:

/<Install_Dir>/CA/SharedComponents/

8) (If Exists) Backup the '/CAPKI/' directory by renaming it '/CAPKI.BAK'

mv CAPKI CAPKI.BAK

9) Modify the $CAPKIHOME variable in the environment variable script:

/<Install_Dir>/CA/webagent/ca_wa_env.sh

CAPKIHOME=/<Install_Dir>/CA/SharedComponents/CAPKI
export CAPKIHOME

10) Run the updated web agent environment variable script.

cd /<Install_Dir>/CA/webagent/

. ./ca_wa_env.sh

10) Change to the following directory:

/<Install_Dir>/CA/webagent/etpki-install/redist/

11) Run the following command:

./setup install caller=wa12

NOTE: This will create a new '/<Install_Dir>/CA/SharedComponents/CAPKI/CAPKI5/' directory

12) Start the Web Server/Web Agent

13) Validate web agent functionality

14) Delete the following files:

/<Install_Dir>/CA/webagent/CAPKI.BAK

/<Install_Dir>/CA/SharedComponents/CAPKI.BAK

WINDOWS

1) Download "etpki-install_5_2_17_openssl102zm_win64.zip" from this KB.

2) Copy  "etpki-install_5_2_17_openssl102zm_win64.zip" to the Windows web server and decompress it.

3) Stop the Web Server

4) Change to the following directory:

<Drive>:\<Install_Dir>\CA\webagent\win64\

5) Backup the '\etpki-install\' directory by renaming it '\etpki-install.BAK\'

ren etpki-install etpki-install.BAK

6) Copy the '/etpki-install/' directory from "etpki-install_5_2_17_openssl102zm_win64.zip" to <Drive>:\<Install_Dir>\CA\webagent\win64\

7) Change to the following directory:

<Drive>:\<Install_Dir>\CA\SC\

8) (If Exists) Backup the '\CAPKI\' directory by renaming it '\CAPKI.BAK\'

ren CAPKI CAPKI.BAK

9) Open a command prompt using cmd.exe as an administrator (Run As Administrator)

10) Change to the following directory:

<Drive>:\<Install_Dir>\CA\webagent\win64\etpki-install\redist\

11) Run the following command:

setup.exe install caller=wa12

NOTE: This will create a new '<Drive>:\<Install_Dir>\CA\SC\CAPKI\CAPKI5\' directory

12) Start the Web Server/Web Agent

13) Validate web agent functionality

14) Delete the following files:

<Drive>:\<Install_Dir>\CA\webagent\win64\etpki-install.BAK

<Drive>:\<Install_Dir>\CA\SC\CAPKI.BAK

Additional Information

427910 "Vulnerability in CAPKI 5.2.16 and older on Siteminder Access Gateway Server r12.8.8.1 and older"

427908 "Vulnerability in CAPKI 5.2.16 and older on Siteminder Policy Server r12.8.8.1 and older"

427906 "Vulnerability in CAPKI 5.2.16 and older on Siteminder Sharepoint Agent r12.8.x"

427887 "Vulnerability in CAPKI 5.2.16 and older on Siteminder Web Agents"

OpenSSL 1.0.2 Vulnerabilities

OpenSSL 1.0.2zm remediates the following CVE's:

CVE-2025-9230
CVE-2024-13176
CVE-2024-9143
CVE-2024-5535
CVE-2024-0727
CVE-2023-5678
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-0465
CVE-2023-0466
CVE-2023-0464
CVE-2023-0286
CVE-2023-0215
CVE-2022-4304
CVE-2022-2068
CVE-2022-1292
CVE-2022-0778
CVE-2021-4160
CVE-2021-3712
CVE-2021-23841
CVE-2021-23840
CVE-2021-23839
CVE-2020-1971
CVE-2020-1968
CVE-2019-1551
CVE-2019-1563
CVE-2019-1547
CVE-2019-1552
CVE-2019-1559

Attachments

etpki-install_5_2_17_openssl102zm_linux.zip get_app
etpki-install_5_2_17_openssl102zm_win64.zip get_app
Powered by Wolken Software