A number of Common Vulnerabilities and Exposures (CVE's) published for Apache HTTPS Server 2.4.66 and older.  These CVE's are remediated in Apache HTTP Server 2.4.67.

PRODUCT: SiteMinder

COMPONENT: Agent for Sharepoint

VERSION: 12.8.7 & 12.8.8

OPERATING SYSTEM: ANY

The following CVE's have been published for Apache HTTP Server 2.4.66 and older for the Siteminder r12.8.x Agent for Sharepoint:

==============================
CVE-2026-23918 "Apache HTTP Server: http2: double free and possible RCE on early reset"

IMPACT: Important
DESCRIPTION: Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.
IMPACTED: Apache HTTP Server 2.4.66.
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-24072: Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr 

IMPACT: moderate
DESCRIPTION: An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.
IMPACTED: Apache HTTP Server 2.4.66 and older
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-28780: Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header() 

IMPACT: low
DESCRIPTION: If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer.
IMPACTED: Apache HTTP Server 2.4.66 and older
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-29168 Apache HTTP Server: mod_md unrestricted OCSP response 

IMPACT: low
DESCRIPTION: Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data.
IMPACTED: Apache HTTP Server 2.4.30 through 2.4.65.
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-29169 mod_dav_lock indirect lock crash

IMPACT: low
DESCRIPTION:A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs.
IMPACTED: Apache HTTP Server 2.4.66 and older
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-33006 mod_auth_digest timing attack 

IMPACT: Moderate
DESCRIPTION: A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker.
IMPACTED: Apache HTTP Server 2.4.66 and older
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-33007 multiple modules: HTTP response splitting forwarding malicious status line 

IMPACT: Low
DESCRIPTION: A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration.
IMPACTED: Apache HTTP Server 2.4.0 - 2.4.66
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-33523 multiple modules: HTTP response splitting forwarding malicious status line 

IMPACT: Low
DESCRIPTION: HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers.
IMPACTED: Apache HTTP Server 2.4.0 - 2.4.66
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-33857 Apache HTTP Server: Off-by-one OOB reads in AJP getter functions 

IMPACT: Low
DESCRIPTION: Out-of-bounds Read vulnerability in mod_proxy_ajp of
IMPACTED: Apache HTTP Server 2.4.66 and older
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-34032 Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string) 

IMPACT: Low
DESCRIPTION: Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server.
IMPACTED: Apache HTTP Server 2.4.66 and older
REMDIATED: Apache HTTP Server 2.4.67

---------------------------
CVE-2026-34059 Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data()

IMPACT: low
DESCRIPTION: Buffer Over-read vulnerability in Apache HTTP Server.
IMPACTED: Apache HTTP Server 2.4.66 and older
REMDIATED: Apache HTTP Server 2.4.67

==============================

Upgrade Apache HTTP Server to 2.4.67 on the Siteminder r12.8.x Aent for Sharepoint using this KB.

How to Verify the version of Apache HTTP Server Installed on Siteminder Agent for Sharepoint

WINDOWS

1. Stop the running Sharepoint Agent

2. Using File Explorer, navigate to the Sharepoint Agent installation directory

Default: <Install_Dir>\CA\Agent-for-SharePoint\

3. Back-up the original '\httpd' directory <httpd_orig>

<Install_Dir>\CA\Agent-for-SharePoint\httpd

4. Unzip the attached "httpd_2467_1280801_andBelow_win64.zip" and copy the 'httpd' folder to <Install_Dir>\CA\Agent-for-SharePoint\

5. Copy the the '/conf' directory from the original  "<httpd_orig>\conf"  into  <Install_Dir>\CA\Agent-for-SharePoint\httpd\

6. Copy the the 'configssl.bat' file from the original  "<httpd_orig>\bin"  into  <Install_Dir>\CA\Agent-for-SharePoint\httpd\bin\

8. Upgrade to OpenSSL 1.0.2zp as per KB 438076: Vulnerabilities in OpenSSL 1.0.2zo and Older on Siteminder Sharepoint Agent r12.8.x

9. Start the Sharepoint Agent

LINUX

1. Stop the running Sharepoint Agent

2. Navigate to the Sharepoint Agent installation directory 

Default: <Install_Dir>/CA/Agent-for-SharePoint/

3. Back-up the original '/httpd' directory <httpd_orig>

<Install_Dir>/CA/Agent-for-SharePoint/httpd

4. Unzip the attached 'httpd_2467_1280801_andBelow_linux.zip' file and copy the '/httpd' folder to <Install_Dir>/CA/Agent-for-SharePoint/

5. Copy the following files from the original  <httpd_orig>  into  <Install_Dir>/CA/Agent-for-SharePoint/

cp -r httpd_orig/conf  httpd/
cp httpd_orig/bin/apachectl httpd/bin/
cp httpd_orig/bin/apr-1-config  httpd/bin/
cp httpd_orig/bin/apu-1-config httpd/bin/
cp httpd_orig/bin/apxs httpd/bin/
cp httpd_orig/bin/envvars httpd/bin/
cp httpd_orig/bin/envvars-std  httpd/bin/

6. Upgrade to OpenSSL 1.0.2zp as per KB 438076: Vulnerabilities in OpenSSL 1.0.2zo and Older on Siteminder Sharepoint Agent r12.8.x

7. Start the Sharepoint Agent

KB 406389: How to Verify the version of Apache HTTP Server Installed on Siteminder Agent for Sharepoint

KB 438076: Vulnerabilities in OpenSSL 1.0.2zo and Older on Siteminder Sharepoint Agent r12.8.x

Apache HTTP Server 2.4 vulnerabilities

Apache HTTP Server 2.4.67 remediates the following vulnerabilities:

CVE-2026-23918
CVE-2026-24072
CVE-2026-28780
CVE-2026-29168
CVE-2026-29169
CVE-2026-33006
CVE-2026-33007
CVE-2026-33523
CVE-2026-33857
CVE-2026-34032
CVE-2026-34059
CVE-2025-55753
CVE-2025-58098
CVE-2025-59775
CVE-2025-65082
CVE-2025-66200
CVE-2025-54090
CVE-2024-42516
CVE-2024-43204
CVE-2024-43394
CVE-2024-47252
CVE-2025-23048
CVE-2025-49630
CVE-2024-49812
CVE-2024-40898
CVE-2024-40725
CVE-2024-40898
CVE-2023-38709
CVE-2024-36387
CVE-2024-24795
CVE-2024-27316
CVE-2023-31122
CVE-2023-43622
CVE-2023-45802
CVE-2023-25690
CVE-2023-27522
CVE-2006-20001
CVE-2022-36760
CVE-2022-37436
CVE-2022-26377
CVE-2022-28330
CVE-2022-28614
CVE-2022-28615
CVE-2022-29404
CVE-2022-30522
CVE-2022-30556
CVE-2022-31813
CVE-2022-22719
CVE-2022-22720
CVE-2022-22721
CVE-2022-23943
CVE-2021-44224
CVE-2021-44790
CVE-2021-42013
CVE-2021-41524
CVE-2021-41773
CVE-2021-33193
CVE-2021-34798
CVE-2021-36160
CVE-2021-39275
CVE-2021-40438
CVE-2019-17567
CVE-2020-13938
CVE-2020-13950
CVE-2020-35452
CVE-2021-26690
CVE-2021-26691
CVE-2021-30641
CVE-2021-31618
CVE-2020-11984
CVE-2020-11993
CVE-2020-9490