Vulnerability in Libcurl 8.10.0 and older in the Siteminder Policy Server r12.8.8.1 and older

Products

SITEMINDER

Issue/Introduction

The Siteminder Policy Server bundles Libcurl in the binaries. The following versions of Libcurl are shipped with the Siteminder Policy Server:

Policy Server r12.8.7: LibCurl 7.84.0
Policy Server r12.8.8: LibCurl 8.4.0
Policy Server r12.8.8.1: LibCurl 8.4.0
Policy Server r12.9: LibCurl 8.12.1.0

KB378171 delivered LibCurl 8.10.0

NOTE: This KB only applies to Siteminder Policy Server r12.8.8.1 and older. For the 12.9 Policy Servers use KB 437711 Vulnerability in Libcurl 8.17.0 and older in the Siteminder Policy Server r12.9 and older

Environment

PRODUCT: Symantec Siteminder

COMPONENT: Policy Server

VERSIONS: r12.8.7; r12.8.8; r12.8.8.1

OPERATING SYSTEM: Any

Cause

The following CVE's have been published for LibCurl 7.84.0 - 8.18.0.

CVE	First Version Impacted	Last Version Impacted
CVE-2026-3805: use after free in SMB connection reuse	8.13.0	8.18.0
CVE-2026-3784: wrong proxy connection reuse with credentials	7.7	8.18.0
CVE-2026-3783: token leak with redirect and netrc	7.33.0	8.18.0
CVE-2026-1965: bad reuse of HTTP Negotiate connection	7.10.6	8.18.0
CVE-2025-15224: libssh key passphrase bypass without agent set	7.58.0	8.17.0
CVE-2025-15079: libssh global known_hosts override	7.58.0	8.17.0
CVE-2025-14819: OpenSSL partial chain store policy bypass	7.87.0	8.17.0
CVE-2025-14524: bearer token leak on cross-protocol redirect	7.33.0	8.17.0
CVE-2025-14017: broken TLS options for threaded LDAPS	7.17.0	8.17.0
CVE-2025-13034: No QUIC certificate pinning with GnuTLS	8.8.0	8.17.0
CVE-2025-10966: missing SFTP host verification with wolfSSH	7.69.0	8.16.0
CVE-2025-10148: predictable WebSocket mask	8.11.0	8.15.0
CVE-2025-9086: Out of bounds read for cookie path	8.13.0	8.15.0
CVE-2025-5399: WebSocket endless loop	8.13.0	8.14.0
CVE-2025-5025: No QUIC certificate pinning with wolfSSL	8.5.0	8.13.0
CVE-2025-4947: QUIC certificate check skip with wolfSSL	8.8.0	8.13.0
CVE-2025-0725: gzip integer overflow	7.10.5	8.11.1
CVE-2025-0665: eventfd double close	8.11.1	8.11.1
CVE-2025-0167: netrc and default credential leak	7.76.0	8.11.1
CVE-2024-11053: netrc and redirect credential leak	7.76.0	8.11.0
CVE-2024-9681: HSTS subdomain overwrites parent cache entry	7.74.0	8.10.1
CVE-2024-8096: OCSP stapling bypass with GnuTLS	7.41.0	8.9.1
CVE-2024-7264: ASN.1 date parser overread	7.32.0	8.9.0
CVE-2024-6874: macidn punycode buffer overread	8.8.0	8.8.0
CVE-2024-6197: freeing stack buffer in utf8asn1str	8.6.0	8.8.0
CVE-2024-2466: TLS certificate check bypass with mbedTLS	8.5.0	8.6.0
CVE-2024-2398: HTTP/2 push headers memory-leak	7.44.0	8.6.0
CVE-2024-2379: QUIC certificate check bypass with wolfSSL	8.6.0	8.6.0
CVE-2024-2004: Usage of disabled protocol	7.85.0	8.6.0
CVE-2024-0853: OCSP verification bypass with TLS session reuse	8.5.0	8.5.0
CVE-2023-46219: HSTS long filename clears contents	7.84.0	8.4.0
CVE-2023-46218: cookie mixed case PSL bypass	7.46.0	8.4.0
CVE-2023-38546: cookie injection with none file	7.9.1	8.3.0
CVE-2023-38545: SOCKS5 heap buffer overflow	7.69.0	8.3.0
CVE-2023-38039: HTTP headers eat all memory	7.84.0	8.2.1
CVE-2023-28322: more POST-after-PUT confusion	7.7	8.0.1
CVE-2023-28321: IDN wildcard match	7.12.0	8.0.1
CVE-2023-28320: siglongjmp race condition	7.9.8	8.0.1
CVE-2023-28319: UAF in SSH sha256 fingerprint check	7.81.0	8.0.1
CVE-2023-27538: SSH connection too eager reuse still	7.16.1	7.88.1
CVE-2023-27537: HSTS double free	7.88.0	7.88.1
CVE-2023-27536: GSS delegation too eager connection reuse	7.22.0	7.88.1
CVE-2023-27535: FTP too eager connection reuse	7.13.0	7.88.1
CVE-2023-27534: SFTP path ~ resolving discrepancy	7.18.0	7.88.1
CVE-2023-27533: TELNET option IAC injection	7.7	7.88.1
CVE-2023-23916: HTTP multi-header compression denial of service	7.57.0	7.87.0
CVE-2023-23915: HSTS amnesia with --parallel	7.77.0	7.87.0
CVE-2023-23914: HSTS ignored on multiple requests	7.77.0	7.87.0
CVE-2022-43552: HTTP Proxy deny use after free	7.16.0	7.86.0
CVE-2022-43551: Another HSTS bypass via IDN	7.77.0	7.86.0
CVE-2022-42916: HSTS bypass via IDN	7.77.0	7.85.0
CVE-2022-42915: HTTP proxy double free	7.77.0	7.85.0
CVE-2022-35260: .netrc parser out-of-bounds access	7.84.0	7.85.0
CVE-2022-32221: POST following PUT confusion	7.7	7.85.0
CVE-2022-35252: control code in cookie denial of service	4.9	7.84.0

Resolution

Using this KB you can upgrade LibCurl on the r12.8.8.1 and older Siteminder Policy Server to LibCurl 8.17.0. LibCurl 8.17.0 has been attached to this KB.

It is advised that to remediate all LibCurl CVE's you upgrade the Siteminder Policy Server to r12.9 or higher.

Siteminder r12.8.8.1 and older along with LibCurl 8.17.0 and older are both built on OpenSSL 1.0.2. Siteminder r12.9 and higher along with LibCurl 8.18.0 and higher are both built on OpenSSL 3.0.x. Neither OpenSSL 3.0.x nor LibCurl 8.18.0 are backwards compatible with Siteminder Policy Server r12.8.8.1 and older.

Upgrading to Libcurl 8.17.0 will still leave the system vulnerable to the following CVE's:

CVE-2026-3784: wrong proxy connection reuse with credentials
CVE-2026-3783: token leak with redirect and netrc
CVE-2026-1965: bad reuse of HTTP Negotiate connection

Upgrade Siteminder r12.8.8.1 or Older to LibCurl 8.17.0

LINUX

1) Download 'libcurl_8.17.0_12.8.x_linux.zip' to the Siteminder Policy Server

2) Decompress 'libcurl_8.17.0_libs.zip'

Contents:

libcurl.so
libcurl.so.4
libcurl.so.4.8.0

3) Stop the Siteminder Policy Server

4) Backup and Delete, or Rename the following files:

/<Install_Dir>/CA/siteminder/lib/libcurl.so.4.8.0
/<Install_Dir>/CA/siteminder/lib/libcurl.so.4
/<Install_Dir>/CA/siteminder/lib/libcurl.so

5) Copy the following files from 'libcurl_8.17.0_12.8.x_linux.zip' into the '/<Install_Dir>/CA/siteminder/lib/' directory.

libcurl.so
libcurl.so.4
libcurl.so.4.8.0

6) Start the Siteminder Policy Server

WINDOWS

1) Download 'libcurl_8.17.0_12.8.x_win64.zip' to the Siteminder Policy Server

2) Decompress 'libcurl_8.17.0_12.8.x_win64.zip'

3) Stop the Siteminder Policy Server

4) Backup and Delete, or Rename the following files:

<Install_Dir>\CA\siteminder\bin\libcurl.dll

5) Copy the following files from 'libcurl_8.17.0_12.8.x_win64' into the '<Install_Dir>\CA\siteminder\bin\' directory.

libcurl.dll

6) Start the Siteminder Policy Server

Additional Information

curl and libcurl vulnerabilities

KB 437711 Vulnerability in Libcurl 8.17.0 and older in the Siteminder Policy Server r12.9 and older

Libcurl 8.17.0 Remediate the following CVE's:

CVE-2025-15224: libssh key passphrase bypass without agent set

CVE-2025-15079: libssh global known_hosts override

CVE-2025-14819: OpenSSL partial chain store policy bypass

CVE-2025-14524: bearer token leak on cross-protocol redirect

CVE-2025-14017: broken TLS options for threaded LDAPS

CVE-2025-13034: No QUIC certificate pinning with GnuTLS

CVE-2025-10966: missing SFTP host verification with wolfSSH

CVE-2025-10148: predictable WebSocket mask

CVE-2025-9086: Out of bounds read for cookie path

CVE-2025-5399: WebSocket endless loop

CVE-2025-5025: No QUIC certificate pinning with wolfSSL

CVE-2025-4947: QUIC certificate check skip with wolfSSL

CVE-2025-0725: gzip integer overflow

CVE-2025-0665: eventfd double close

CVE-2025-0167: netrc and default credential leak

CVE-2024-11053: netrc and redirect credential leak

CVE-2024-9681: HSTS subdomain overwrites parent cache entry

CVE-2024-8096: OCSP stapling bypass with GnuTLS

CVE-2024-7264: ASN.1 date parser overread

CVE-2024-6874: macidn punycode buffer overread

CVE-2024-6197: freeing stack buffer in utf8asn1str

CVE-2024-2466: TLS certificate check bypass with mbedTLS

CVE-2024-2398: HTTP/2 push headers memory-leak

CVE-2024-2379: QUIC certificate check bypass with wolfSSL

CVE-2024-2004: Usage of disabled protocol

CVE-2024-0853: OCSP verification bypass with TLS session reuse

CVE-2023-46219: HSTS long filename clears contents

CVE-2023-46218: cookie mixed case PSL bypass

CVE-2023-38546: cookie injection with none file

CVE-2023-38545: SOCKS5 heap buffer overflow

CVE-2023-38039: HTTP headers eat all memory

CVE-2023-28322: more POST-after-PUT confusion

CVE-2023-28321: IDN wildcard match

CVE-2023-28320: siglongjmp race condition

CVE-2023-28319: UAF in SSH sha256 fingerprint check

CVE-2023-27538: SSH connection too eager reuse still

CVE-2023-27537: HSTS double free

CVE-2023-27536: GSS delegation too eager connection reuse

CVE-2023-27535: FTP too eager connection reuse

CVE-2023-27534: SFTP path ~ resolving discrepancy

CVE-2023-27533: TELNET option IAC injection

CVE-2023-23916: HTTP multi-header compression denial of service

CVE-2023-23915: HSTS amnesia with --parallel

CVE-2023-23914: HSTS ignored on multiple requests

CVE-2022-43552: HTTP Proxy deny use after free

CVE-2022-43551: Another HSTS bypass via IDN

CVE-2022-42916: HSTS bypass via IDN

CVE-2022-42915: HTTP proxy double free

CVE-2022-35260: .netrc parser out-of-bounds access

CVE-2022-32221: POST following PUT confusion

CVE-2022-35252: control code in cookie denial of service

Attachments

libcurl_8.17.0_12.8.x_linux.zip get_app

libcurl_8.17.0_12.8.x_win64.zip get_app