OpenSSL 3.5.5 and older Vulnerabilities on Siteminder Access Gateway r12.9
search cancel

OpenSSL 3.5.5 and older Vulnerabilities on Siteminder Access Gateway r12.9

book

Article ID: 438079

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction

Siteminder Access Gateway r12.9 ships with OpenSSL 3.4.0.  There have been a number of Vulnerabilities reported in OpenSSL 3.5.5 and older.  

This KB delivers OpenSSL 3.5.6 for Siteminder Access Gateway r12.9.

NOTE: Siteminder Access Gateway r12.8.8.1 and older are bundled with OpenSSL 1.0.2.  This KB is not applicable to Access Gateway r12.8.8.1 and older.

Environment

PRODUCT: Symantec Siteminder

COMPONENT: Access Gateway 

VERSION: r12.9 (ONLY)

Cause

CVE-2026-28387 "Potential Use-after-free in DANE Client Code"

SEVERITY: Low
IMPACTED: OpenSSL 3.5.0 - 3.5.5
Remediated: 3.5.6

-----------------------------------

CVE-2026-28388 "NULL Pointer Dereference When Processing a Delta CRL"

SEVERITY: Low
IMPACTED: OpenSSL 3.5.0 - 3.5.5
Remediated: 3.5.6

-----------------------------------

CVE-2026-28389 "Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo"

SEVERITY: Low
IMPACTED: OpenSSL 3.5.0 - 3.5.5
Remediated: 3.5.6

-----------------------------------

CVE-2026-28390 "Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo"

SEVERITY: Low
IMPACTED: OpenSSL 3.5.0 - 3.5.5
Remediated: 3.5.6

-----------------------------------

CVE-2026-31789 "Heap Buffer Overflow in Hexadecimal Conversion"

SEVERITY: Low
IMPACTED: OpenSSL 3.5.0 - 3.5.5
Remediated: 3.5.6

-----------------------------------

CVE-2026-31790 "Incorrect Failure Handling in RSA KEM RSASVE Encapsulation"

SEVERITY: Moderate
IMPACTED: OpenSSL 3.5.0 - 3.5.5
Remediated: 3.5.6

-----------------------------------

CVE-2026-2673 "OpenSSL TLS 1.3 server may choose unexpected key agreement group"

SEVERITY: Low
IMPACTED: OpenSSL 3.5.0 - 3.5.5
Remediated: 3.5.6

-----------------------------------

 

 

Resolution

Upgrade OpenSSL on Siteminder Access Gateway Server to openSSL 3.5.6 using this KB.

Verifying the OpenSSL version on Siteminder Access Gateway

 

###### UPGRADE INSTRUCTIONS ######

LINUX

NOTE: OpenSSL 3.x for Access Gateway on LINUX applies to Access Gateway 12.9 and higher

1) Copy "OpenSSL356_linux_129GA.zip" to the Access Gateway Server

2) Unzip "OpenSSL356_linux_129GA.zip"

Unzip openssl_3.5.46_linux.zip

3) Stop the Access Gateway Server.

4) Navigate to the '<InstallDir>/CA/secure-proxy/' directory.

5) Note the permissions on the contents of the '<InstallDir>/CA/secure-proxy/SSL/bin' directory.

6) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/bin' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/bin/c_rehash
<InstallDir>/CA/secure-proxy/SSL/bin/openssl

7) Copy the contents of the '/OpenSSL356_linux_129GA/OpenSSL356_linux/bin/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/bin/ directory.

CONTENTS:

c_rehash
openssl

EXAMPLE: cp -r /OpenSSL356_linux_129GA/OpenSSL356_linux/bin/* /<InstallDir>/CA/secure-proxy/SSL/bin/

8) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/lib/' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.a
<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so
<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so.3
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.a
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so.3

 

9) Copy the contents of the '/OpenSSL356_linux_129GA/OpenSSL356_linux/lib' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/lib/' directory.

CONTENTS:

libcrypto.a
libcrypto.so
libcrypto.so.3
libssl.a
libssl.so
libssl.so.3

EXAMPLE: cp -r /OpenSSL356_linux_129GA/OpenSSL356_linux/lib/* ./<InstallDir>/CA/secure-proxy/SSL/lib/

10) Re-set the permissions on the copied files.

11) Re-source the environment variables;

. ./ca_sps_env.sh

13) Re-start the Access Gateway.

./proxy-engine/sps-ctl start

 

WINDOWS

NOTE: OpenSSL 3.x for Access Gateway on WINDOWS applies to Access Gateway 12.9 and higher

1) Copy "OpenSSL356_Win64_129GA.zip" to the Access Gateway Server

2) Unzip "OpenSSL356_Win64_129GA.zip"

3) Stop the Access Gateway server

4) Browse to the "<Install_Dir>\CA\secure-proxy\SSL\bin\" directory in Access Gateway

Default: <Install_Dir> = C:\Program Files\

5) Back-up either the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory, or the following files:

<Install_Dir>\CA\secure-proxy\SSL\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\SSL\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\SSL\bin\ssleay32.dll

6) Copy the contents of '\OpenSSL356_Win64_129GA\OpenSSL356_Win64\' folder to the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory.

CONTENTS:

c_rehash.pl
libcrypto-3-x64.dll
libcrypto-3-x64.pdb
libssl-3-x64.dll
libssl-3-x64.pdb
openssl.exe
openssl.pdb

7) Back-up either the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory, or the following files:

c_rehash.pl
libcrypto-3-x64.dll
libcrypto-3-x64.pdb
libssl-3-x64.dll
libssl-3-x64.pdb
openssl.exe
openssl.pdb

8) Copy the contents of '\OpenSSL356_Win64_129GA\OpenSSL356_Win64\' folder to the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory.

CONTENTS:

c_rehash.pl
libcrypto-3-x64.dll
libcrypto-3-x64.pdb
libssl-3-x64.dll
libssl-3-x64.pdb
openssl.exe
openssl.pdb

9) Start the Access Gateway server

Additional Information

Vulnerabilities in OpenSSL 3.5.x

Verifying the OpenSSL version on Siteminder Access Gateway

CVE's related to OpenSSL 3.5.3 and older which are remediated with OpenSSL 3.6:

CVE-2026-28387
CVE-2026-28388
CVE-2026-28389
CVE-2026-28390
CVE-2026-31789
CVE-2026-31790
CVE-2026-22795
CVE-2026-22796
CVE-2026-2673
CVE-2025-11187
CVE-2025-15467
CVE-2025-15468
CVE-2025-15469
CVE-2025-66199
CVE-2025-68160
CVE-2025-69418
CVE-2025-69419
CVE-2025-69420
CVE-2025-69421
CVE-2025-9230
CVE-2025-9231
CVE-2025-9232
CVE-2025-4575
CVE-2024-12797
CVE-2024-13176

Attachments

OpenSSL356_linux_129GA.zip get_app
OpenSSL356_Win64_129GA.zip get_app
Powered by Wolken Software