Vulnerability in CAPKI 5.2.16 and older on Siteminder Policy Server r12.8.8.1 and older
Article ID: 427908
Updated On:
Products
Issue/Introduction
A security scan may return a flag for the following files on the Siteminder r12.8.81 or older Policy Server:
LINUX:
/<Install_Dir>/CA/siteminder/CAPKI/CAPKI5/Linux/amd64/64/lib/libcaopenssl_ssl.so
/<Install_Dir>/CA/siteminder/CAPKI/CAPKI5/Linux/amd64/64/lib/libcaopenssl_crypto.so
WINDOWS:
<Install_Dir>\CA\siteminder\etpki-install\CAPKI5\Windows\amd64\64\lib\libcaopenssl_ssl.so
<Install_Dir>\CA\siteminder\etpki-install\CAPKI5\Windows\amd64\64\lib\libcaopenssl_crypto.so
CAPKI (Previously known as ETPKI) is a C language-based Software Development Kit (SDK) that provides CA Development Community with features required to implement Information Security services in its products. CAPKI is a wrapper on OpenSSL which is robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
NOTE: Siteminder r12.9 Policy Server uses CAPKI 6.
.
Environment
PRODUCT: Symantec Siteminder
COMPONENT: Policy Server
VERSION: r12.8.8.1 and Older
OPERATING SYSTEM: Windows and Linux
Cause
CAPKI (Previously known as ETPKI) is a wrapper on OpenSSL. The Siteminder Policy Server r12.8.8.1 is shipped with CAPKI 5.2.14.0. Siteminder r12.8.7 and r12.8.8 are compiled with older versions of CAPKI built on older versions of OpenSSL 1.0.2. OpenSSL 1.0.2ZL and older have a number of Common Vulnerabilities and Exposures (CVE's) published for them which are remediated in OpenSSL 1.0.2ZM.
Resolution
This solution applies to the following Siteminder Policy Server versions:
- r12.8.8.1 and older
CAPKI 5.2.17 has been compiled with OpenSSL 1.0.2ZM. Upgrade CAPKI to CAPKI 5.2.17 on the r12.8.8.1 and older Siteminder Policy Server.
LINUX
1) Download "etpki-install_5_2_17_openssl102zm_linux.zip" from this KB.
2) Copy "etpki-install_5_2_17_openssl102zm_linux.zip" to the Siteminder Policy Server on Linux and decompress it.
3) Stop the Policy Server
4) Change to the following directory:
/<Install_Dir>/CA/siteminder/
5) Backup the '/CAPKI/' directory by renaming it '/CAPKI.BAK'
mv CAPKI CAPKI.BAK
6) Copy the '/etpki-install/' directory from "etpki-install_5_2_17_openssl102zm_linux.zip" to /<Install_Dir>/CA/siteminder/
7) Change to the following directory*:
/<Install_Dir>/CA/SharedComponents/
* This directory may not exist in your system
8) (If Exists) Backup the '/CAPKI/' directory by renaming it '/CAPKI.BAK'
mv CAPKI CAPKI.BAK
9) Modify the $CAPKIHOME variable in the environment variable script:
/<Install_Dir>/CA/siteminder/ca_ps_env.ksh
CAPKIHOME=/<Install_Dir>/CA/SharedComponents/CAPKI
export CAPKIHOME
10) Run the updated Access Gateway Environment variable script.
cd /<Install_Dir>/CA/siteminder/
. ./ca_ps_env.ksh
11) Change to the following directory:
/<Install_Dir>/CA/siteminder/etpki-install/redist/
12) Ensure the user has execute permissions on the installation media (setup)
13) Run the following command:
./setup install caller=ps12
NOTE: This will create a new '/<Install_Dir>/CA/SharedComponents/CAPKI/CAPKI5/' directory
14) Start the Policy Server
15) Validate Policy Server functionality
16) Delete the following files:
/<Install_Dir>/CA/siteminder/CAPKI.BAK
(If Exists) /<Install_Dir>/CA/SharedComponents/CAPKI.BAK
WINDOWS
1) Download "etpki-install_5_2_17_openssl102zm_win64.zip" from this KB.
2) Copy "etpki-install_5_2_17_openssl102zm_win64.zip" to the Policy Server on Windows and decompress it.
3) Stop the Policy Server
4) Change to the following directory:
<Drive>:\<Install_Dir>\CA\siteminder\
5) Backup the '\CAPKI\' directory by renaming it '\CAPKI.BAK\'
ren CAPKI CAPKI.BAK
6) Copy the '/etpki-install/' directory from "etpki-install_5_2_17_openssl102zm_win64.zip" to <Drive>:\<Install_Dir>\siteminder\
7) Change to the following directory*:
<Drive>:\<Install_Dir>\CA\SC\
* This directory may not exist in your system
8) (If Exists) Backup the '\CAPKI\' directory by renaming it '\CAPKI.BAK\'
ren CAPKI CAPKI.BAK
9) Open a command prompt using cmd.exe as an administrator (Run As Administrator)
10) Change to the following directory:
<Drive>:\<Install_Dir>\CA\siteminder\etpki-install\redist\
11) Run the following command:
setup.exe install caller=ps12
NOTE: This will create a new '<Drive>:\<Install_Dir>\CA\SC\CAPKI\CAPKI5\' directory
12) Start the Policy Server
13) Validate Policy Server functionality
14) Delete the following files:
<Drive>:\<Install_Dir>\CA\siteminder\CAPKI.BAK
<Drive>:\<Install_Dir>\CA\SC\CAPKI.BAK
Additional Information
427908 "Vulnerability in CAPKI 5.2.16 and older on Siteminder Policy Server r12.8.8.1 and older"
427906 "Vulnerability in CAPKI 5.2.16 and older on Siteminder Sharepoint Agent r12.8.x"
427887 "Vulnerability in CAPKI 5.2.16 and older on Siteminder Web Agents"
OpenSSL 1.0.2zm remediates the following CVE's:
CVE-2025-9230
CVE-2024-13176
CVE-2024-9143
CVE-2024-5535
CVE-2024-0727
CVE-2023-5678
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-0465
CVE-2023-0466
CVE-2023-0464
CVE-2023-0286
CVE-2023-0215
CVE-2022-4304
CVE-2022-2068
CVE-2022-1292
CVE-2022-0778
CVE-2021-4160
CVE-2021-3712
CVE-2021-23841
CVE-2021-23840
CVE-2021-23839
CVE-2020-1971
CVE-2020-1968
CVE-2019-1551
CVE-2019-1563
CVE-2019-1547
CVE-2019-1552
CVE-2019-1559
Attachments
Feedback
