Vulnerabilities in Apache 2.4.65 and older in Siteminder Access Gateway r12.8.8.1 and Older
search cancel

Vulnerabilities in Apache 2.4.65 and older in Siteminder Access Gateway r12.8.8.1 and Older

book

Article ID: 423495

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction

Siteminder Access Gateway ships bundled with an instance of Apache HTTP Server.  The following is a list of Apache HTTP Server versions by Siteminder Access Gateway version:

Access Gateway r12.8.7:     Apache HTTP Server 2.4.54
Access Gateway r12.8.8:     Apache HTTP Server 2.4.58
Access Gateway r12.8.8.1:  Apache HTTP Server 2.4.58

KB282288 (archived) delivered Apache 2.4.59
KB373899 (archived) delivered Apache 2.4.62
KB406240 (archived) delivered Apache 2.4.64
KB407938 (archived) delivered Apache 2.4.65

A number of Common Vulnerabilities and Exposures (CVE's) published for Apache HTTPS Server 2.4.65 and older.  These CVE's are remediated in Apache HTTP Server 2.4.66.

NOTE: This KB applies to Siteminder Access Gateway r12.8.8.1 and OLDER.  For Apache HTTP Server on Siteminder Access Gateway r12.9, see the following KB:

KB422058: Vulnerabilities in Apache 2.4.65 on Siteminder Access Gateway 12.9

Environment

PRODUCT: Symantec Siteminder

COMPONENT: Access Gateway Server

VERSION: r12.8.8.1 and Older (ONLY)

OPERATING SYSTEM: ANY

Cause

The following CVE's have been published for Apache HTTP Server 2.4.65 and older for Access Gateway

==============================
CVE-2025-55753 "mod_md (ACME), unintended retry intervals "

IMPACT: low
DESCRIPTION: An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds.
IMPACTED: Apache HTTP Server 2.4.30 before 2.4.65.
REMDIATED: Apache HTTP Server 2.4.66

---------------------------
CVE-2025-58098: Server Side Includes adds query string to #exec cmd=...

IMPACT: moderate
DESCRIPTION: Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives.
IMPACTED: Apache HTTP Server 2.4.65 and older
REMDIATED: Apache HTTP Server 2.4.66

---------------------------
CVE-2025-59775: NTLM Leakage on Windows through UNC SSRF

IMPACT: moderate
DESCRIPTION: Server-Side Request Forgery (SSRF) vulnerability on Windows.  With AllowEncodedSlashes On and MergeSlashes Off it allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content
IMPACTED: Apache HTTP Server 2.4.65 and older
REMDIATED: Apache HTTP Server 2.4.66

---------------------------
CVE-2025-65082: CGI environment variable override

IMPACT: low
DESCRIPTION: Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs.
IMPACTED: Apache HTTP Server 2.4.0 through 2.4.65.
REMDIATED: Apache HTTP Server 2.4.66

---------------------------
CVE-2025-66200: mod_userdir+suexec bypass via AllowOverride FileInfo

IMPACT: moderate
DESCRIPTION: mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid.
IMPACTED: Apache HTTP Server 2.4.7 through 2.4.65.
REMDIATED: Apache HTTP Server 2.4.66

==============================

Resolution

NOTE: This KB provides Apache HTTP Server 2.4.66 for Access Gateway Servers r12.8.8.1 and Older ONLY.

This KB is not to be used for Siteminder Access Gateway r12.9.

Apache HTTP Web Server 2.4.x is tied to OpenSSL.  Siteminder Access Gateway r12.8.8.1 and older are bundled with OpenSSL 1.0.2, while Access Gateway r12.9 is bundled with OpenSSL 3.0.15.  

For Apache HTTP Server on Siteminder Access Gateway r12.9, see the following KB:

KB422058: Vulnerabilities in Apache 2.4.65 on Siteminder Access Gateway 12.9

How to Verify the version of Apache HTTP Server Installed on Siteminder Access Gateway

 

WINDOWS

1. Stop the running Access Gateway Server

2. Using File Explorer, navigate to the Access Gateway installation directory

DEFAULT: C:\Program Files\CA\secure-proxy\

3. Back-up the original '\httpd' directory <httpd_orig>

EXAMPLE: <Install_Dir>\CA\secure-proxy\httpd  -> <Install_Dir>\CA\secure-proxy\httpd_orig

4. Unzip the attached "httpd_2466_win64_128801andBelow.zip" and copy the 'httpd' folder to <Install_Dir>\CA\secure-proxy\

5. Copy the the '\conf' directory from the original  "<httpd_orig>\conf"  into  <Install_Dir>\CA\secure-proxy\httpd\

6. Copy the the 'configssl.bat' file from the original  "<httpd_orig>\bin"  into  <Install_Dir>\CA\secure-proxy\httpd\bin

8. Upgrade to OpenSSL 1.0.2zm as per KB420181: Vulnerabilities in OpenSSL 1.0.2zl and Older on Siteminder Access Gateway r12.8.x

9. Start the Access Gateway Server.

 

LINUX

1. Stop the running Access Gateway Server

2. Navigate to the Access Gateway installation directory 

Default: <Install_Dir>/CA/secure-proxy/

3. Back-up the original '/httpd' directory <httpd_orig>

<Install_Dir>/CA/secure-proxy/httpd/

EXAMPLE: mv <Install_Dir>/CA/secure-proxy/httpd/ <Install_Dir>/CA/secure-proxy/httpd_orig/

4. Unzip the attached 'httpd_2466_Linux_128801andBelow.zip' file and copy the '/httpd' folder to <Install_Dir>/CA/secure-proxy/

5. Copy the following files from the original  <httpd_orig>  into  <Install_Dir>/CA/secure-proxy/httpd/

cp -r httpd_orig/conf  httpd/
cp httpd_orig/bin/apachectl httpd/bin/
cp httpd_orig/bin/apr-1-config  httpd/bin/
cp httpd_orig/bin/apu-1-config httpd/bin/
cp httpd_orig/bin/apxs httpd/bin/
cp httpd_orig/bin/envvars httpd/bin/
cp httpd_orig/bin/envvars-std  httpd/bin/

6. Upgrade to OpenSSL 1.0.2zl as per KB420181: Vulnerabilities in OpenSSL 1.0.2zl and Older on Siteminder Access Gateway r12.8.x

7. Start the Access Gateway Server.

Additional Information

How to Verify the version of Apache HTTP Server Installed on Siteminder Access Gateway

KB420181: Vulnerabilities in OpenSSL 1.0.2zl and Older on Siteminder Access Gateway r12.8.x

KB422058: Vulnerabilities in Apache 2.4.65 on Siteminder Access Gateway 12.9

Apache HTTP Server 2.4 vulnerabilities

CVE-2025-55753
CVE-2025-58098
CVE-2025-59775
CVE-2025-65082
CVE-2025-66200
CVE-2025-54090
CVE-2024-42516
CVE-2024-43204
CVE-2024-43394
CVE-2024-47252
CVE-2025-23048
CVE-2025-49630
CVE-2024-49812
CVE-2024-40898
CVE-2024-40725
CVE-2024-40898
CVE-2023-38709
CVE-2024-36387
CVE-2024-24795
CVE-2024-27316
CVE-2023-31122
CVE-2023-43622
CVE-2023-45802
CVE-2023-25690
CVE-2023-27522
CVE-2006-20001
CVE-2022-36760
CVE-2022-37436


Attachments

httpd_2466_win64_128801andBelow.zip get_app
httpd_2466_Linux_128801andBelow.zip get_app
Powered by Wolken Software