Siteminder Access Gateway ships bundled with an instance of Apache HTTP Server.  The following is a list of Apache HTTP Server versions by Siteminder Access Gateway version:

Access Gateway r12.9:  Apache HTTP Server 2.4.63

KB407918 (archived) delivered Apache HTTP Server 2.4.65

NOTE: Siteminder Access Gateway r12.8.8.1 and older shipped with Apache HTTP Server 2.4.x as well, however that version of Apache HTTP Server is compiled with OpenSSL 1.0.2, while Apache in Siteminder Access Gateway 12.9 is compiled with OpenSSL 3.0.x.  The Apache HTTP Server binaries for r12.8.8.x and r12.9 are not interchangeable.  This KB applies to Siteminder Access Gateway r12.9 ONLY.

For Siteminder Access Gateway r12.8.8.1 and older see KB:

KB407938: Vulnerability in Apache 2.4.64 and older in Siteminder Access Gateway r12.8.8.1 and Older

PRODUCT: Symantec Siteminder

COMPONENT: Access Gateway Server

VERSION: r12.9 (only)

OPERATING SYSTEM: ANY

The following CVE's have been published for Apache HTTP Server 2.4.65 and older for Access Gateway

==============================
CVE-2025-55753 "mod_md (ACME), unintended retry intervals "

IMPACT: low
DESCRIPTION: An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds.
IMPACTED: Apache HTTP Server 2.4.30 before 2.4.65.
REMDIATED: Apache HTTP Server 2.4.66

---------------------------
CVE-2025-58098: Server Side Includes adds query string to #exec cmd=...

IMPACT: moderate
DESCRIPTION: Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives.
IMPACTED: Apache HTTP Server 2.4.65 and older
REMDIATED: Apache HTTP Server 2.4.66

---------------------------
CVE-2025-59775: NTLM Leakage on Windows through UNC SSRF

IMPACT: moderate
DESCRIPTION: Server-Side Request Forgery (SSRF) vulnerability on Windows.  With AllowEncodedSlashes On and MergeSlashes Off it allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content
IMPACTED: Apache HTTP Server 2.4.65 and older
REMDIATED: Apache HTTP Server 2.4.66

---------------------------
CVE-2025-65082: CGI environment variable override

IMPACT: low
DESCRIPTION: Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs.
IMPACTED: Apache HTTP Server 2.4.0 through 2.4.65.
REMDIATED: Apache HTTP Server 2.4.66

---------------------------
CVE-2025-66200: mod_userdir+suexec bypass via AllowOverride FileInfo

IMPACT: moderate
DESCRIPTION: mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid.
IMPACTED: Apache HTTP Server 2.4.7 through 2.4.65.
REMDIATED: Apache HTTP Server 2.4.66

==============================

NOTE: This KB provides Apache HTTP Server 2.4.66 for Access Gateway Servers r12.9 ONLY. This KB is not to be used for Siteminder Access Gateway r12.8.8.1 or older

Siteminder Access Gateway r12.8.8.1 and older shipped with Apache HTTP Server 2.4.x as well, however that version of Apache HTTP Server is compiled with OpenSSL 1.0.2, while Apache in Siteminder Access Gateway 12.9 is compiled with OpenSSL 3.0.x.  The Apache HTTP Server binaries for r12.8.8.x and r12.9 are not interchangeable.  This KB applies to Siteminder Access Gateway r12.9 ONLY.

For Siteminder Access Gateway r12.8.8.1 and older see KB:

KB407938: Vulnerability in Apache 2.4.64 and older in Siteminder Access Gateway r12.8.8.1 and Older

How to Verify the version of Apache HTTP Server Installed on Siteminder Access Gateway

WINDOWS

1. Stop the running Access Gateway Server

2. Using File Explorer, navigate to the Access Gateway installation directory

Default: <Install_Dir>\CA\secure-proxy\

3. Back-up the original '\httpd' directory <httpd_orig>

<Install_Dir>\CA\secure-proxy\httpd

4. Unzip the attached "httpd_2466_129_win64.zip" and copy the 'httpd' folder to <Install_Dir>\CA\secure-proxy\

5. Copy the the '\conf' directory from the original  "<httpd_orig>\conf"  into  <Install_Dir>\CA\secure-proxy\httpd\

6. Copy the the 'configssl.bat' file from the original  "<httpd_orig>\bin"  into  <Install_Dir>\CA\secure-proxy\httpd\bin

8. Upgrade to OpenSSL 3.5.4 as per KB418405: OpenSSL 3.5.3 and older Vulnerabilities on Siteminder Access Gateway r12.9

9. Start the Access Gateway Server.

LINUX

1. Stop the running Access Gateway Server

2. Navigate to the Access Gateway installation directory 

Default: <Install_Dir>/CA/secure-proxy/

3. Back-up the original '/httpd' directory <httpd_orig>

<Install_Dir>/CA/secure-proxy/httpd

EXAMPLE: cp -R <Install_Dir>/CA/secure-proxy/httpd/ <Install_Dir>/CA/secure-proxy/httpd_orig/

4. Unzip the attached 'httpd_2466_129_Linux.zip' file and copy the '/httpd' folder to <Install_Dir>/CA/secure-proxy/

5. Copy the following files from the original  <httpd_orig>  into  <Install_Dir>/CA/secure-proxy/httpd/

cp -r httpd_orig/conf  httpd/
cp httpd_orig/bin/apachectl httpd/bin/
cp httpd_orig/bin/apr-1-config  httpd/bin/
cp httpd_orig/bin/apu-1-config httpd/bin/
cp httpd_orig/bin/apxs httpd/bin/
cp httpd_orig/bin/envvars httpd/bin/
cp httpd_orig/bin/envvars-std  httpd/bin/

6. Upgrade to OpenSSL 3.5.4 as per KB418405: OpenSSL 3.5.3 and older Vulnerabilities on Siteminder Access Gateway r12.9

7. Start the Access Gateway Server.