CVE-2025-15467: OpenSSL Vulnerability Leads to Denial-of-Service, Remote Code Execution

Directory releases 14.1 SP6 and 14.1 SP7

The CAPKI  component with in Directory contains a known security vulnerability identified as CVE-2025-15467,  This issue involves a stack buffer overflow occurring during CMS AuthEnvelopedData parsing. 

Resolution

- Broadcom Directory DEV team has published patches to remediate the vulnerability for the Directory releases 14.1 SP6 and 14.1 SP7

- Each patch contains the binaries to be deployed with a README.txt file with the deployment steps.

- The patches by version are enclosed 

If you have any questions or require assistance, please contact Customer Support at +1-800-225-5224 in North America or see https://support.broadcom.com/contact-support.html for the local number in your country.

Thank you for your continued partnership.

Sincerely,
Symantec Directory Team

No other Directory versions are impacted.

The Directory Manager is a web application that stores the configuration information. The dxagent component, which includes the OpenSSL binary to be replaced, is installed individually in each server to enable the management of DSA's by the Directory Manager.

Known Issue: Replication Failure Post-Patch/SP6/SP7 (Public CAs)

Some clients running Directory releases 14.1 SP6 and 14.1 SP7 may experience replication failures if they are using certificates signed by a public Certificate Authority (CA).

  - Root Cause: The issue stems from the industry-wide discontinuation of support for a single certificate being used for both client and server authentication. This change is mandated by the Chrome Root Program Policy version 1.8 (Section 1.3.2), which promotes the use of Dedicated TLS Server Authentication PKI Hierarchies and phases out multi-purpose roots from the Chrome Root Store. Any client using certificates signed by a public CA that follows this policy will encounter the same issue.
  - Workarounds for Replication: To ensure replication works, clients must implement one of the following suggested workarounds:
    1.  Use a non-public CA that does not adhere to the Chrome Root Program Policy.
    2.  Disable the link-flags for SSL/TLS.

Note to IGA Customers

Upcoming IGA 15.0.0 fix pack 5 will have this patch bundled for managed user store. If you are using Symantec Directory as external user store, follow the resolution above.

IGA 14.5.1 VApp includes Directory 14.1 SP5 and hence no action is needed.