OpenSSL 3.5.4 and older Vulnerabilities on Siteminder Access Gateway r12.9
Article ID: 428994
Updated On:
Products
Issue/Introduction
Siteminder Access Gateway r12.9 ships with OpenSSL 3.4.0. There have been a number of Vulnerabilities reported in OpenSSL 3.5.5 and older.
This KB delivers OpenSSL 3.5.5 for Siteminder Access Gateway r12.9.
NOTE: Siteminder Access Gateway r12.8.8.1 and Older are bundled with OpenSSL 1.0.2. This KB is not applicable to Access Gateway r12.8.8.1 and older.
Environment
PRODUCT: Symantec Siteminder
COMPONENT: Access Gateway
VERSION: r12.9 (ONLY)
Cause
CVE-2025-11187 "Improper validation of PBMAC1 parameters in PKCS#12 MAC verification"
SEVERITY: Moderate
IMPACTED: OpenSSL 3.5.0 - 3.5.4
Remediated: 3.5.5
-----------------------------------
CVE-2025-15467 "Stack buffer overflow in CMS AuthEnvelopedData parsing"
SEVERITY: High
IMPACTED: OpenSSL 3.5.0 - 3.5.4
Remediated: 3.5.5
-----------------------------------
CVE-2025-15468 "NULL dereference in SSL_CIPHER_find() function on unknown cipher ID"
SEVERITY: Low
IMPACTED: OpenSSL 3.5.0 - 3.5.4
Remediated: 3.5.5
-----------------------------------
CVE-2025-66199 "NTLS 1.3 CompressedCertificate excessive memory allocation"
SEVERITY: Low
IMPACTED: OpenSSL 3.5.0 - 3.5.4
Remediated: 3.5.5
-----------------------------------
CVE-2025-68160 "Heap out-of-bounds write in BIO_f_linebuffer on short writes"
SEVERITY: Low
IMPACTED: OpenSSL 3.5.0 - 3.5.4
Remediated: 3.5.5
-----------------------------------
CVE-2025-69418 "Unauthenticated/unencrypted trailing bytes with low-level OCB function calls"
SEVERITY: Low
IMPACTED: OpenSSL 3.5.0 - 3.5.4
Remediated: 3.5.5
-----------------------------------
CVE-2025-69419 "Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion"
SEVERITY: Low
IMPACTED: OpenSSL 3.5.0 - 3.5.4
Remediated: 3.5.5
-----------------------------------
CVE-2025-69420 "Missing ASN1_TYPE validation in TS_RESP_verify_response() function"
SEVERITY: Low
IMPACTED: OpenSSL 3.5.0 - 3.5.4
Remediated: 3.5.5
-----------------------------------
CVE-2025-69421 "NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function"
SEVERITY: Low
IMPACTED: OpenSSL 3.5.0 - 3.5.4
Remediated: 3.5.5
-----------------------------------
CVE-2026-22795 "Missing ASN1_TYPE validation in PKCS#12 parsing"
SEVERITY: Low
IMPACTED: OpenSSL 3.5.0 - 3.5.4
Remediated: 3.5.5
-----------------------------------
CVE-2026-22796 "ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function"
SEVERITY: Low
IMPACTED: OpenSSL 3.5.0 - 3.5.4
Remediated: 3.5.5
-----------------------------------
CVE-2025-9230 "Out-of-bounds read & write in RFC 3211 KEK Unwrap"
SEVERITY: Moderate
IMPACTED: OpenSSL 3.5.0 - 3.5.3
Remediated: 3.5.4 and higher
-----------------------------------
CVE-2025-9231 "Timing side-channel in SM2 algorithm on 64 bit ARM"
SEVERITY: Moderate
IMPACTED: OpenSSL 3.5.0 - 3.5.3
Remediated: 3.5.4 and higher
-----------------------------------
CVE-2025-9232 "Out-of-bounds read in HTTP client no_proxy handling"
SEVERITY: Low
IMPACTED: OpenSSL 3.5.0 - 3.5.3
Remediated: 3.5.4 and higher
Resolution
Upgrade OpenSSL on Siteminder Access Gateway Server to openSSL 3.5.5 using this KB.
Verifying the OpenSSL version on Siteminder Access Gateway
NOTES:
1) OpenSSL 3.x is only applicable to Siteminder Access Gateway r12.9.
2) Upgrade Apache to 2.4.65 on Siteminder Access Gateway r12.9 at the same time this KB is being applied. Use KB 407918
KB422058: Vulnerabilities in Apache 2.4.65 on Siteminder Access Gateway 12.9
###### UPGRADE INSTRUCTIONS ######
LINUX
Please follow the steps to upgrade OpenSSL to version to 3.5.5
1. Copy openssl_355_linux.zip to a temporary location in your Access Gateway server.
2. Stop Access Gateway services
3. Take a back of the original directories: <Install_dir>/secure-proxy/SSL/bin and <Install_dir>/secure-proxy/SSL/lib/.
4. Unzip the patch to a temporary location.
5. Copy the files from bin folder in the temporary location to the <Install_dir>/secure-proxy/SSL/bin folder
6. Copy the files from lib folder in the temporary location to the <Install_dir>/secure-proxy/SSL/lib folder
7. Make sure the permissions of the different files replaced match the ones for the original files
8. Start the SPS.
WINDOWS
Please follow the steps to upgrade OpenSSL to version to 3.5.5
1. Copy openssl_355_win64.zip to a temporary location in your Access Gateway server.
2. Stop Access Gateway services
3. Take a back of the original directories: <Install_dir>\secure-proxy\SSL\bin and <Install_dir>\secure-proxy\SSL\lib\.
4. Unzip the patch to a temporary location.
5. Copy the files from bin folder in the temporary location to the <Install_dir>/secure-proxy/SSL/bin folder
6. Copy the files from lib folder in the temporary location to the <Install_dir>/secure-proxy/SSL/lib folder
7. Make sure the permissions of the different files replaced match the ones for the original files
8. Start the SPS.
Additional Information
Vulnerabilities in Tomcat 9.0.110 and Older on Siteminder Access Gateway
CVE-2025-15467 "Stack buffer overflow in CMS AuthEnvelopedData parsing" has in fact no influence on SiteMinder, but a remediation is anyway being provided
SEVERITY: High
IMPACTED: OpenSSL 3.5.0 - 3.5.4
Remediated: 3.5.5
Attachments
Feedback
