Products

SITEMINDER

Issue/Introduction

A number of vulnerabilities have been published for Apache Log4J version 2 impacting Log4j2 2.0-beta9 through to 2.25.2

Siteminder bundles Apache Log4J2 in a number of components, including the Siteminder Policy Server.

Log4J by Siteminder Version:

r12.8.7: Log4j 2.17.2
r12.8.8: Log4j 2.20.0
r12.8.8.1: Log4j 2.20.0
r12.9: Log4j 2.20.0

Environment

PRODUCT: Siteminder

COMPONENT: Policy Server

VERSION: 12.8.7; 12.8.8; 12.8.81; 12.9

OPERATING SYSTEM: Any

Cause

The following CVE has been published for log4J impacting all versions of Log4J 2.25.2 and older.

CVE-2025-68161 "Apache Log4j Core: Missing TLS hostname verification in Socket appender"

IMPACT: Medium

DESCRIPTION: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.

IMPACTED: Log4J 2.0.1 - 2.25.2

REMDIATED: Log4J 2.25.3

Resolution

Update Log4J the Siteminder Policy Server to Log4J 2.25.3

1) Download Log4J 2.25.3 from this KB

2) Back-up the following files

<siteminder_install_Dir>\siteminder\bin\thirdparty\log4j-api-2.xx.x.jar
<siteminder_install_Dir>\siteminder\bin\thirdparty\log4j-core-2.xx.x.jar
<siteminder_install_Dir>\siteminder\bin\thirdparty\log4j-slf4j-impl-2.xx.x.jar
OR
<siteminder_install_Dir>\siteminder\bin\thirdparty\log4j-slf4j2-impl-2.xx.x.jar

<siteminder_install_Dir>\siteminder\bin\jars\log4j-api-2.xx.x.jar
<siteminder_install_Dir>\siteminder\bin\jars\log4j-core-2.xx.x.jar
<siteminder_install_Dir>\siteminder\bin\jars\log4j-slf4j-impl-2.xx.x.jar
OR
<siteminder_install_Dir>\siteminder\bin\jars\log4j-slf4j2-impl-2.xx.x.jar

3) Stop the Policy Server

4) Delete the existing log4j jar files (Listed in Step #2)

5) Place the new log4j 2.25.3 jars in the following locations:

<siteminder_install_Dir>\siteminder\bin\thirdparty\log4j-api-2.25.3.jar
<siteminder_install_Dir>\siteminder\bin\thirdparty\log4j-core-2.25.3.jar
<siteminder_install_Dir>\siteminder\bin\thirdparty\log4j-slf4j2-impl-2.25.3.jar

<siteminder_install_Dir>\siteminder\bin\jars\log4j-api-2.25.3.jar
<siteminder_install_Dir>\siteminder\bin\jars\log4j-core-2.25.3.jar
<siteminder_install_Dir>\siteminder\bin\jars\log4j-slf4j2-impl-2.25.3.jar

6) After copying the log4j jars into the <siteminder_install_Dir>\siteminder\bin\jars\ folder (as described in step #5), rename the jar file, removing version from the filenames.

RESULT:

<siteminder_install_Dir>\siteminder\bin\jars\log4j-api.jar
<siteminder_install_Dir>\siteminder\bin\jars\log4j-core.jar
<siteminder_install_Dir>\siteminder\bin\jars\log4j-slf4j2-impl-2.25.3.jar

NOTE: This step is only done to the files in the \jars directory. NOT the \thirdparty directory.

7) Edit the JVMOptions.txt file at <siteminder_install_Dir>\siteminder\config\, update all the references of the existing log4j versions with the 2.25.3 version in the -Djava.class.path parameter, and save the changes.

EXAMPLE:

-Djava.class.path=<siteminder_install_Dir>/siteminder/resources;<siteminder_install_Dir>/siteminder/config/properties;<siteminder_install_Dir>/siteminder/bin/endorsed/jakarta.xml.bind-api.jar;<siteminder_install_Dir>/siteminder/bin/endorsed/jakarta.activation.jar;<siteminder_install_Dir>/siteminder/bin/jars/smbootstrap.jar;<siteminder_install_Dir>/siteminder/bin/thirdparty/log4j-api-2.25.3.jar;<siteminder_install_Dir>/siteminder/bin/thirdparty/log4j-core-2.25.3.jar;<siteminder_install_Dir>/siteminder/bin/thirdparty/log4j-slf4j2-impl-2.25.3.jar

8) Navigate to <siteminder_installation_home>/siteminder/bin, and edit the following scripts, updating all the references of the existing log4j versions:

smkeytool.bat/smkeytool.sh
smfedexport.bat/smfedexport.sh
smfedimport.bat/smfedimport.sh

EXAMPLE:

set CLASSPATH=%SMFED_JARS%\smfedimport.jar;%SMFED_JARS%\saml2.jar;%SMFED_JARS%\saml2Metadata.jar;%SMFED_JARS%\saml2MetadataGen.jar;%SMFED_JARS%\wsgen.jar;%SMFED_JARS%\saml2Gen.jar;%SMFED_JARS%\SmJavaApi.jar;%SMFED_JARS%\fedutil.jar;%SMFED_JARS%\smkeydatabase.jar;%NETE_HSM_HOME%\JSP\lib\LunaProvider.jar;%SMFED_JARS%\smadminapi.jar;%SMFED_JARS%\smrpc.jar;%SMFED_JARS%\util-signed.jar;%SMFED_JARS%\tmsigservice.jar;%SMFED_JARS%\saml2security.jar;%SMFED_TPJARS%\xercesImpl.jar;%NETE_PS_ROOT%\config\properties;%SMFED_ENDORSED_JARS%\xmlsec-2.3.2.jar;%SMFED_TPJARS%\xml-apis.jar;%SMFED_TPJARS%\relaxngDatatype.jar;%SMFED_TPJARS%\commons-logging.jar;%SMFED_TPJARS%\commons-logging-api.jar;%SMFED_JARS%\smi18n.jar;%SMFED_JARS%\smagentapi.jar;%SMFED_TPJARS%\jvatk.jar;%SMFED_JARS%\smpkcs11.jar;%SMFED_JARS%\smcert.jar;%SMFED_JARS%\fipsmode.jar;%SMFED_JARS%\smcrypto.jar;%SMFED_TPJARS%\bc-fips-1.0.2.4.jar;%SMFED_TPJARS%\bcpkix-fips-1.0.7.jar;%SMFED_TPJARS%\log4j-core-2.25.3.jar;

9) Start Policy Server.