Vulnerabilities in Apache 2.4.66 and older in Siteminder Access Gateway r12.8.8.1 and Older
search cancel

Vulnerabilities in Apache 2.4.66 and older in Siteminder Access Gateway r12.8.8.1 and Older

book

Article ID: 441339

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

Siteminder Access Gateway ships bundled with an instance of Apache HTTP Server.  The following is a list of Apache HTTP Server versions by Siteminder Access Gateway version:

Access Gateway r12.8.7:     Apache HTTP Server 2.4.54
Access Gateway r12.8.8:     Apache HTTP Server 2.4.58
Access Gateway r12.8.8.1:  Apache HTTP Server 2.4.58

KB282288 (archived) delivered Apache 2.4.59
KB373899 (archived) delivered Apache 2.4.62
KB406240 (archived) delivered Apache 2.4.64
KB407938 (archived) delivered Apache 2.4.65
KB423495 (archived) delivered Apache 2.4.66

A number of Common Vulnerabilities and Exposures (CVE's) published for Apache HTTPS Server 2.4.66 and older.  These CVE's are remediated in Apache HTTP Server 2.4.67.

NOTE: This KB applies to Siteminder Access Gateway r12.8.8.1 and OLDER. 

Environment

PRODUCT: Symantec Siteminder

COMPONENT: Access Gateway Server

VERSION: r12.8.8.1 and Older (ONLY)

OPERATING SYSTEM: ANY

Cause

The following CVE's have been published for Apache HTTP Server 2.4.66 and older for Access Gateway

==============================
CVE-2026-23918 "Apache HTTP Server: http2: double free and possible RCE on early reset"

IMPACT: Important
DESCRIPTION: Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.
IMPACTED: Apache HTTP Server 2.4.66.
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-24072: Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr 

IMPACT: moderate
DESCRIPTION: An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.
IMPACTED: Apache HTTP Server 2.4.66 and older
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-28780: Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header() 

IMPACT: low
DESCRIPTION: If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer.
IMPACTED: Apache HTTP Server 2.4.66 and older
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-29168 Apache HTTP Server: mod_md unrestricted OCSP response 

IMPACT: low
DESCRIPTION: Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data.
IMPACTED: Apache HTTP Server 2.4.30 through 2.4.65.
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-29169 mod_dav_lock indirect lock crash

IMPACT: low
DESCRIPTION:A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs.
IMPACTED: Apache HTTP Server 2.4.66 and older
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-33006 mod_auth_digest timing attack 

IMPACT: Moderate
DESCRIPTION: A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker.
IMPACTED: Apache HTTP Server 2.4.66 and older
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-33007 multiple modules: HTTP response splitting forwarding malicious status line 

IMPACT: Low
DESCRIPTION: A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration.
IMPACTED: Apache HTTP Server 2.4.0 - 2.4.66
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-33523 multiple modules: HTTP response splitting forwarding malicious status line 

IMPACT: Low
DESCRIPTION: HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers.
IMPACTED: Apache HTTP Server 2.4.0 - 2.4.66
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-33857 Apache HTTP Server: Off-by-one OOB reads in AJP getter functions 

IMPACT: Low
DESCRIPTION: Out-of-bounds Read vulnerability in mod_proxy_ajp of
IMPACTED: Apache HTTP Server 2.4.66 and older
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-34032 Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string) 

IMPACT: Low
DESCRIPTION: Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server.
IMPACTED: Apache HTTP Server 2.4.66 and older
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-34059 Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data()

IMPACT: low
DESCRIPTION: Buffer Over-read vulnerability in Apache HTTP Server.
IMPACTED: Apache HTTP Server 2.4.66 and older
REMDIATED: Apache HTTP Server 2.4.67

==============================

Resolution

Upgrade Apache on Siteminder Access Gateway 12.8.8.1 or older to Apache HTTP Server 2.4.67 using this KB.  Apache HTTP Server 2.4.67 for Siteminder Access Gateway 12.8.8.1 or older is attached to this KB.

NOTE: This KB provides Apache HTTP Server 2.4.67 for Access Gateway Servers r12.8.8.1 and older ONLY. This KB is not to be used for Siteminder Access Gateway r12.9

Both Siteminder Access Gateway r12.8.8.1 and older as well as r129 shipped with Apache HTTP Server 2.4.x.  However, the 12.8.8.1 version of Apache HTTP Server is compiled with OpenSSL 1.0.2, while Apache in Siteminder Access Gateway 12.9 is compiled with OpenSSL 3.0.x.  The Apache HTTP Server 2.4.x binaries for r12.8.8.x and r12.9 are not interchangeable.  This KB applies to Siteminder Access Gateway r12.8.8.1 and older ONLY.

How to Verify the version of Apache HTTP Server Installed on Siteminder Access Gateway

 

WINDOWS

1. Stop the running Access Gateway Server

2. Using File Explorer, navigate to the Access Gateway installation directory

DEFAULT: C:\Program Files\CA\secure-proxy\

3. Back-up the original '\httpd' directory <httpd_orig>

EXAMPLE: <Install_Dir>\CA\secure-proxy\httpd  -> <Install_Dir>\CA\secure-proxy\httpd_orig

4. Unzip the attached "httpd_2467_1280801_andBelow_win64.zip" and copy the 'httpd' folder to <Install_Dir>\CA\secure-proxy\

5. Copy the the '\conf' directory from the original  "<httpd_orig>\conf"  into  <Install_Dir>\CA\secure-proxy\httpd\

6. Copy the the 'configssl.bat' file from the original  "<httpd_orig>\bin"  into  <Install_Dir>\CA\secure-proxy\httpd\bin

8. Upgrade to OpenSSL 1.0.2zp as per KB 438073: Vulnerabilities in OpenSSL 1.0.2zo and older on Siteminder Access Gateway 12.8.8.1 and older

9. Start the Access Gateway Server.

 

LINUX

1. Stop the running Access Gateway Server

2. Navigate to the Access Gateway installation directory 

Default: <Install_Dir>/CA/secure-proxy/

3. Back-up the original '/httpd' directory <httpd_orig>

<Install_Dir>/CA/secure-proxy/httpd/

EXAMPLE: mv <Install_Dir>/CA/secure-proxy/httpd/ <Install_Dir>/CA/secure-proxy/httpd_orig/

4. Unzip the attached 'httpd_2467_1280801_andBelow_linux.zip' file and copy the '/httpd' folder to <Install_Dir>/CA/secure-proxy/

5. Copy the following files from the original  <httpd_orig>  into  <Install_Dir>/CA/secure-proxy/httpd/

cp -r httpd_orig/conf  httpd/
cp httpd_orig/bin/apachectl httpd/bin/
cp httpd_orig/bin/apr-1-config  httpd/bin/
cp httpd_orig/bin/apu-1-config httpd/bin/
cp httpd_orig/bin/apxs httpd/bin/
cp httpd_orig/bin/envvars httpd/bin/
cp httpd_orig/bin/envvars-std  httpd/bin/

6. Upgrade to OpenSSL 1.0.2zp as per KB 438073: Vulnerabilities in OpenSSL 1.0.2zo and older on Siteminder Access Gateway 12.8.8.1 and older

7. Start the Access Gateway Server.

Additional Information

How to Verify the version of Apache HTTP Server Installed on Siteminder Access Gateway

KB 438073: Vulnerabilities in OpenSSL 1.0.2zo and older on Siteminder Access Gateway 12.8.8.1 and older

Apache HTTP Server 2.4 vulnerabilities

Apache HTTP Server 2.4.67 remediates the following vulnerabilities:

CVE-2026-23918
CVE-2026-24072
CVE-2026-28780
CVE-2026-29168
CVE-2026-29169
CVE-2026-33006
CVE-2026-33007
CVE-2026-33523
CVE-2026-33857
CVE-2026-34032
CVE-2026-34059
CVE-2025-55753
CVE-2025-58098
CVE-2025-59775
CVE-2025-65082
CVE-2025-66200
CVE-2025-54090
CVE-2024-42516
CVE-2024-43204
CVE-2024-43394
CVE-2024-47252
CVE-2025-23048
CVE-2025-49630
CVE-2024-49812
CVE-2024-40898
CVE-2024-40725
CVE-2024-40898
CVE-2023-38709
CVE-2024-36387
CVE-2024-24795
CVE-2024-27316
CVE-2023-31122
CVE-2023-43622
CVE-2023-45802
CVE-2023-25690
CVE-2023-27522
CVE-2006-20001
CVE-2022-36760
CVE-2022-37436
CVE-2022-26377
CVE-2022-28330
CVE-2022-28614
CVE-2022-28615
CVE-2022-29404
CVE-2022-30522
CVE-2022-30556
CVE-2022-31813
CVE-2022-22719
CVE-2022-22720
CVE-2022-22721
CVE-2022-23943
CVE-2021-44224
CVE-2021-44790
CVE-2021-42013
CVE-2021-41524
CVE-2021-41773
CVE-2021-33193
CVE-2021-34798
CVE-2021-36160
CVE-2021-39275
CVE-2021-40438
CVE-2019-17567
CVE-2020-13938
CVE-2020-13950
CVE-2020-35452
CVE-2021-26690
CVE-2021-26691
CVE-2021-30641
CVE-2021-31618
CVE-2020-11984
CVE-2020-11993
CVE-2020-9490

Attachments

httpd_2467_1280801_andBelow_win64.zip get_app
httpd_2467_1280801_andBelow_linux.zip get_app
Powered by Wolken Software