OpenSSL 3.5.3 and older Vulnerabilities on Siteminder Access Gateway r12.9
search cancel

OpenSSL 3.5.3 and older Vulnerabilities on Siteminder Access Gateway r12.9

book

Article ID: 418405

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign-On

Issue/Introduction

Siteminder Access Gateway r12.9 ships with OpenSSL 3.4.0.  There have been a number of Vulnerabilities reported in OpenSSL 3.5.3 and older.  

This KB delivers OpenSSL 3.5.4 for Siteminder Access Gateway r12.9.

NOTE: Siteminder Access Gateway r12.8.8.1 and Older are bundled with OpenSSL 1.0.2.  This KB is not applicable to Access Gateway r12.8.8.1 and older.

For OpenSSL fixes for Siteminder Access Gateway r12.8.8.1 and older use the following KB:

Vulnerabilities in OpenSSL 1.0.2zl and Older on Siteminder Access Gateway r12.8.x

Environment

PRODUCT: Symantec Siteminder

COMPONENT: Access Gateway 

VERSION: r12.9 (ONLY)

Cause

CVE-2025-9230 "Out-of-bounds read & write in RFC 3211 KEK Unwrap"

SEVERITY: Moderate
IMPACTED: OpenSSL 3.5.0 - 3.5.3
Remediated: 3.5.4 and higher

-----------------------------------
CVE-2025-9231 "Timing side-channel in SM2 algorithm on 64 bit ARM"

SEVERITY: Moderate
IMPACTED: OpenSSL 3.5.0 - 3.5.3
Remediated: 3.5.4 and higher

-----------------------------------
CVE-2025-9232 "Out-of-bounds read in HTTP client no_proxy handling"

SEVERITY: Low
IMPACTED: OpenSSL 3.5.0 - 3.5.3
Remediated: 3.5.4 and higher

Resolution

Upgrade OpenSSL on Siteminder Access Gateway Server to openSSL 3.5.4 using this KB.

Verifying the OpenSSL version on Siteminder Access Gateway

NOTES:

1) OpenSSL 3.x is only applicable to Siteminder Access Gateway r12.9.  For Access Gateway r12.8.8.1 and older use the following KB:

Vulnerabilities in OpenSSL 1.0.2zl and Older on Siteminder Access Gateway r12.8.x

2) Upgrade Apache to 2.4.65 on Siteminder Access Gateway r12.9 at the same time this KB is being applied.  Use KB 407918

KB407918: Vulnerability in Apache 2.4.64 and older in Siteminder Access Gateway r12.9

 

###### UPGRADE INSTRUCTIONS ######

LINUX

NOTE: OpenSSL 3.x for Access Gateway on LINUX applies to Access Gateway 12.9 and higher

1) Copy "openssl_3.5.46_linux.zip" to the Access Gateway Server

2) Unzip "openssl_3.5.46_linux.zip"

Unzip openssl_3.5.46_linux.zip

3) Stop the Access Gateway Server.

4) Navigate to the '<InstallDir>/CA/secure-proxy/' directory.

5) Note the permissions on the contents of the '<InstallDir>/CA/secure-proxy/SSL/bin' directory.

6) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/bin' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/bin/c_rehash
<InstallDir>/CA/secure-proxy/SSL/bin/openssl

7) Copy the contents of the '/openssl_3.5.4_Linux/openssl3.6_linux/bin/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/bin/ directory.

CONTENTS:

c_rehash
openssl

EXAMPLE: cp -r /openssl_3.5.4_Linux/bin/* /<InstallDir>/CA/secure-proxy/SSL/bin/

8) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/lib/' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.a
<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so
<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so.3
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.a
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so.3

 

9) Copy the contents of the '/openssl_3.5.4_Linux/lib' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/lib/' directory.

CONTENTS:

libcrypto.a
libcrypto.so
libcrypto.so.3
libssl.a
libssl.so
libssl.so.3

EXAMPLE: cp -r /openssl_3.5.4_Linux/lib/* ./<InstallDir>/CA/secure-proxy/SSL/lib/

10) Re-set the permissions on the copied files.

11) Re-source the environment variables;

. ./ca_sps_env.sh

13) Re-start the Access Gateway.

./proxy-engine/sps-ctl start

 

WINDOWS

NOTE: OpenSSL 3.x for Access Gateway on WINDOWS applies to Access Gateway 12.9 and higher

1) Copy "openssl_3.5.4_win64.zip" to the Access Gateway Server

2) Unzip "openssl_3.5.4_win64.zip"

3) Stop the Access Gateway server

4) Browse to the "<Install_Dir>\CA\secure-proxy\SSL\bin\" directory in Access Gateway

Default: <Install_Dir> = C:\Program Files\

5) Back-up either the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory, or the following files:

<Install_Dir>\CA\secure-proxy\SSL\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\SSL\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\SSL\bin\ssleay32.dll

6) Copy the contents of '\openssl_3.5.4_win64\' folder to the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory.

CONTENTS:

c_rehash.pl
libcrypto-3-x64.dll
libcrypto-3-x64.pdb
libssl-3-x64.dll
libssl-3-x64.pdb
openssl.exe
openssl.pdb

7) Back-up either the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory, or the following files:

c_rehash.pl
libcrypto-3-x64.dll
libcrypto-3-x64.pdb
libssl-3-x64.dll
libssl-3-x64.pdb
openssl.exe
openssl.pdb

8) Copy the contents of '\openssl_3.5.4_win64.zip\' folder to the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory.

CONTENTS:

c_rehash.pl
libcrypto-3-x64.dll
libcrypto-3-x64.pdb
libssl-3-x64.dll
libssl-3-x64.pdb
openssl.exe
openssl.pdb

9) Start the Access Gateway server

Additional Information

OpenSSL Vulnerabilities 3.5.x

Vulnerabilities in OpenSSL 1.0.2zl and Older on Siteminder Access Gateway r12.8.x

Vulnerability in Apache 2.4.64 and older in Siteminder Access Gateway r12.9

Vulnerabilities in Tomcat 9.0.110 and Older on Siteminder Access Gateway

CVE's related to OpenSSL 3.5.3 and older which are remediated with OpenSSL 3.6:

CVE-2025-9230
CVE-2025-9231
CVE-2025-9232
CVE-2025-4575
CVE-2024-12797
CVE-2024-13176

Attachments

openssl_3.5.4_Linux.zip get_app
openssl_3.5.4_win64.zip get_app
Powered by Wolken Software