Vulnerabilities in OpenSSL 1.0.2zl and Older on Siteminder Access Gateway r12.8.x
search cancel

Vulnerabilities in OpenSSL 1.0.2zl and Older on Siteminder Access Gateway r12.8.x

book

Article ID: 420181

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction

Vulnerabilities with OpenSSL 1.0.2zl and older on Symantec Siteminder Access Gateway r12.8.x have been published.

Symantec Siteminder Access Gateway bundles OpenSSL 1.0.2 with all versions of r12.8.x

r12.8.0:     OpenSSL 1.0.2q
r12.8.1:     OpenSSL 1.0.2q
r12.8.2:     OpenSSL 1.0.2q
r12.8.3:     OpenSSL 1.0.2r
r12.8.4:     OpenSSL 1.0.2u
r12.8.5:     OpenSSL 1.0.2x
r12.8.6:     OpenSSL 1.0.2za
r12.8.6a:   OpenSSL 1.0.2za
r12.8.7:     OpenSSL 1.0.2zf
r12.8.8:     OpenSSL 1.0.2zi
r12.8.8.1:  OpenSSL 1.0.2zj

KB  274048 (archived) delivers OpenSSL 1.0.2zi
KB  280151 (archived) delivers OpenSSL 1.0.2zj
KB  385668 (archived) delivers OpenSSL 1.0.2ZL

 

Environment

PRODUCT: Siteminder

COMPONENT: Access Gateway 

OPERATING SYSTEM: ANY

VERSION: 12.8.8.1 and older

Cause

CVE-2025-9230 "Out-of-bounds read & write in RFC 3211 KEK Unwrap"

Severity : Moderate
Reported version : OpenSSL 1.0.2 - 1.0.2ZL
Fixed version    : 1.0.2zm

Resolution

Upgrade OpenSSL on Siteminder Access Gateway servers to OpenSSL 1.0.2zm.  

Verifying the OpenSSL version on Siteminder Access Gateway

 

###### UPGRADE INSTRUCTIONS ######


OpenSSL 1.0.2zm on Linux Installation Instructions

NOTE: OpenSSL 1.0.2zm for Access Gateway on WINDOWS applies to Access Gateway 12.8.8.1 and older

1) Copy "Openssl102zm_1280801GA_and_Below_linux.zip" to the Access Gateway Server

2) Unzip "Openssl102zm_1280801GA_and_Below_linux.zip"

Unzip Openssl102zm_1280801GA_and_Below_linux.zip

3) Stop the Access Gateway Server.

4) Navigate to the '<InstallDir>/CA/secure-proxy/' directory.

5) Note the permissions on the contents of the '<InstallDir>/CA/secure-proxy/SSL/bin' directory.

6) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/bin' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/bin/c_rehash
<InstallDir>/CA/secure-proxy/SSL/bin/openssl

7) Copy the contents of the '/Openssl102zm_1280801GA_and_Below_linux/bin/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/bin/' directory.

CONTENTS: openssl

EXAMPLE: cp -r /Openssl102zm_1280801GA_and_Below_linux/bin/* /<InstallDir>/CA/secure-proxy/SSL/bin/

8) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/lib/' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so
<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so.1.0.0
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so.1.0.0

9) Copy the contents of the '/Openssl102zm_1280801GA_and_Below_linux/lib/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/lib/' directory.

CONTENTS:

libcrypto.so
libcrypto.so.1.0.0
libssl.so
libssl.so.1.0.0

EXAMPLE: cp -r /Openssl102zm_1280801GA_and_Below_linux/SSL/lib/* ./<InstallDir>/CA/secure-proxy/SSL/lib/

10) Re-set the permissions on the copied files.

11) Re-source the environment variables;

. ./ca_sps_env.sh

13) Re-start the Access Gateway.

./proxy-engine/sps-ctl start

 

OpenSSL 1.0.2zm Windows Installation Instructions

NOTE: OpenSSL 1.0.2zm for Access Gateway on WINDOWS applies to Access Gateway 12.8.8.1 and older

1) Copy "Openssl102zm_1280801GA_and_Below_win64.zip" to the Access Gateway Server

2) Unzip "Openssl102zm_1280801GA_and_Below_win64.zip"

3) Stop the Access Gateway server

4) Browse to the "<Install_Dir>\CA\secure-proxy\SSL\bin\" directory in Access Gateway

Default: <Install_Dir> = C:\Program Files\

5) Back-up either the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory, or the following files:

<Install_Dir>\CA\secure-proxy\SSL\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\SSL\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\SSL\bin\ssleay32.dll

6) Copy the contents of '\Openssl102zm_1280801GA_and_Below_win64.zip\' folder to the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory.

CONTENTS:

openssl.exe
libeay32.dll
ssleay32.dll

7) Back-up either the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory, or the following files:

<Install_Dir>\CA\secure-proxy\httpd\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\httpd\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\httpd\bin\ssleay32.dll

8) Copy the contents of '\Openssl102zm_1280801GA_and_Below_win64.zip\' folder to the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory.

CONTENTS:

openssl.exe
libeay32.dll
ssleay32.dll

9) Start the Access Gateway server

Additional Information

Verifying the OpenSSL version on Siteminder Access Gateway

OpenSSL 1.0.2 Vulnerabilities

OpenSSL 1.0.2zm remediates the following CVE's:

CVE-2025-9230
CVE-2024-13176
CVE-2024-9143
CVE-2024-5535
CVE-2024-0727
CVE-2023-5678
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-0465
CVE-2023-0466
CVE-2023-0464
CVE-2023-0286
CVE-2023-0215
CVE-2022-4304
CVE-2022-2068
CVE-2022-1292
CVE-2022-0778
CVE-2021-4160
CVE-2021-3712
CVE-2021-23841
CVE-2021-23840
CVE-2021-23839
CVE-2020-1971
CVE-2020-1968
CVE-2019-1551
CVE-2019-1563
CVE-2019-1547
CVE-2019-1552
CVE-2019-1559

Attachments

Openssl102zm_1280801GA_and_Below_linux.zip get_app
Openssl102zm_1280801GA_and_Below_win64.zip get_app
Powered by Wolken Software