Vulnerabilities in OpenSSL 1.0.2zk and Older on Siteminder Access Gateway r12.8.x
search cancel

Vulnerabilities in OpenSSL 1.0.2zk and Older on Siteminder Access Gateway r12.8.x

book

Article ID: 385668

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction

Vulnerabilities with OpenSSL 1.0.2zk and older on Symantec Siteminder Access Gateway r12.8.x have been published.

Symantec Siteminder Access Gateway bundles OpenSSL 1.0.2 with all versions of r12.8.x

r12.8.0:     OpenSSL 1.0.2q
r12.8.1:     OpenSSL 1.0.2q
r12.8.2:     OpenSSL 1.0.2q
r12.8.3:     OpenSSL 1.0.2r
r12.8.4:     OpenSSL 1.0.2u
r12.8.5:     OpenSSL 1.0.2x
r12.8.6:     OpenSSL 1.0.2za
r12.8.6a:   OpenSSL 1.0.2za
r12.8.7:     OpenSSL 1.0.2zf
r12.8.8:     OpenSSL 1.0.2zi
r12.8.8.1:  OpenSSL 1.0.2zj

 

KB  274048 delivers OpenSSL 1.0.2zi
KB  280151 delivers OpenSSL 1.0.2zj

Environment

PRODUCT: Siteminder

COMPONENT: Access Gateway 

OPERATING SYSTEM: ANY

VERSION: 12.8.8.1 and older

Cause

The following CVE's have been published since OpenSSL 1.0.2zj:

CVE-2024-13176 "Timing side-channel in ECDSA signature computation"

SEVERITY: Low
IMPACTED: OpenSSL 1.0.2 - 1.0.2zK

CVE-2024-9143 "Low-level invalid GF(2^m) parameters lead to OOB memory access"

SEVERITY: Low
IMPACTED: OpenSSL 1.0.2 - 1.0.2zk

CVE-2024-5535 "SSL_select_next_proto buffer overread"

SEVERITY: Low
IMPACTED: OpenSSL 1.0.2 - 1.0.2zj

 

Resolution

Upgrade OpenSSL on Siteminder Access Gateway servers to OpenSSL 1.0.2zl.  

Verifying the OpenSSL version on Siteminder Access Gateway

The solution provided is OpenSSL 1.0.2zk with the 1.0.2zl fix compiled into it.  The version will appear as [OpenSSL 1.0.2zk-fips-sl-u1  xx XXX xxxx]

 

###### UPGRADE INSTRUCTIONS ######

---------------------------------------------------
OpenSSL 1.0.2zl on Linux Installation Instructions
---------------------------------------------------

1) Copy "openssl-1.0.2zk-sl-u1-linux-x86_64.zip" to the Access Gateway Server

2) Unzip "openssl-1.0.2zk-sl-u1-linux-x86_64.zip"

Unzip openssl-1.0.2zk-sl-u1-linux-x86_64.zip

3) Stop the Access Gateway Server.

4) Navigate to the '<InstallDir>/CA/secure-proxy/' directory.

5) Note the permissions on the contents of the '<InstallDir>/CA/secure-proxy/SSL/bin' directory.

6) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/bin' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/bin/c_rehash
<InstallDir>/CA/secure-proxy/SSL/bin/openssl

7) Copy the contents of the '/openssl-1.0.2zk-sl-u1-linux-x86_64/SSL/bin/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/bin/ directory.

CONTENTS:

openssl

EXAMPLE: cp -r /openssl-1.0.2zk-sl-u1-linux-x86_64/SSL/bin/* /<InstallDir>/CA/secure-proxy/SSL/bin/

8) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/lib/' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so
<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so.1.0.0
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so.1.0.0

9) Copy the contents of the '/openssl-1.0.2zk-sl-u1-linux-x86_64/SSL/lib/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/lib/' directory.

CONTENTS:

libcrypto.so
libcrypto.so.1.0.0
libssl.so
libssl.so.1.0.0

EXAMPLE: cp -r /openssl-1.0.2zk-sl-u1-linux-x86_64/SSL/lib/* ./<InstallDir>/CA/secure-proxy/SSL/lib/

10) Re-set the permissions on the copied files.

11) Re-source the environment variables;

. ./ca_sps_env.sh

13) Re-start the Access Gateway.

./proxy-engine/sps-ctl start

 


---------------------------------------------------
OpenSSL 1.0.2zl Windows Installation Instructions
---------------------------------------------------

NOTE: OpenSSL 1.0.2zl for Access Gateway on WINDOWS applies to Access Gateway 12.8.6 and higher.

1) Copy "openssl-1.0.2zk-sl-u1-win64.zip" to the Access Gateway Server

2) Unzip "openssl-1.0.2zk-sl-u1-win64.zip"

3) Stop the Access Gateway server

4) Browse to the "<Install_Dir>\CA\secure-proxy\SSL\bin\" directory in Access Gateway

Default: <Install_Dir> = C:\Program Files\

5) Back-up either the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory, or the following files:

<Install_Dir>\CA\secure-proxy\SSL\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\SSL\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\SSL\bin\ssleay32.dll

6) Copy the contents of '\openssl-1.0.2zk-sl-u1-win64\SSL\bin\' folder to the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory.

CONTENTS:

openssl.exe
libeay32.dll
ssleay32.dll

7) Back-up either the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory, or the following files:

<Install_Dir>\CA\secure-proxy\httpd\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\httpd\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\httpd\bin\ssleay32.dll

8) Copy the contents of '\openssl-1.0.2zk-sl-u1-win64\SSL\bin\' folder to the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory.

CONTENTS:

openssl.exe
libeay32.dll
ssleay32.dll

9) Start the Access Gateway server

Additional Information

Verifying the OpenSSL version on Siteminder Access Gateway

OpenSSL 1.0.2 Vulnerabilities

OpenSSL 1.0.2zl remediates the following CVE's:

CVE-2024-13176
CVE-2024-9143
CVE-2024-5535
CVE-2024-0727
CVE-2023-5678
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-0465
CVE-2023-0466
CVE-2023-0464
CVE-2023-0286
CVE-2023-0215
CVE-2022-4304
CVE-2022-2068
CVE-2022-1292
CVE-2022-0778
CVE-2021-4160
CVE-2021-3712
CVE-2021-23841
CVE-2021-23840
CVE-2021-23839
CVE-2020-1971
CVE-2020-1968
CVE-2019-1551
CVE-2019-1563
CVE-2019-1547
CVE-2019-1552
CVE-2019-1559

Attachments

openssl-1.0.2zk-sl-u1-win64.zip get_app
openssl-1.0.2zk-sl-u1-linux-x86_64.zip get_app
Powered by Wolken Software