Vulnerabilities in OpenSSL 1.0.2zo and older on Siteminder Access Gateway 12.8.8.1 and older
Article ID: 438073
Updated On:
Products
Issue/Introduction
Vulnerabilities with OpenSSL 1.0.2zo and older on Symantec Siteminder Access Gateway r12.8.x have been published.
Symantec Siteminder Access Gateway bundles OpenSSL 1.0.2 with all versions of r12.8.x
r12.8.7: OpenSSL 1.0.2zf
r12.8.8: OpenSSL 1.0.2zi
r12.8.8.1: OpenSSL 1.0.2zj
KB 274048 (archived) delivered OpenSSL 1.0.2zi
KB 280151 (archived) delivered OpenSSL 1.0.2zj
KB 385668 (archived) delivered OpenSSL 1.0.2zk
KB 420181 (archived) delivered OpenSSL 1.0.2zl
KB 429563 (archived) delivered OpenSSL 1.0.2zm
KB 429351 (archived) delivered OpenSSL 1.0.2zn
NOTE: Siteminder r12.9 ships with OpenSSL 3.0.x and is not impact by these CVE's.
Environment
PRODUCT: Siteminder
COMPONENT: Access Gateway
OPERATING SYSTEM: ANY
VERSION: 12.8.8.1 and older
Cause
The following CVE's have been published for OpenSSL 1.0.2zo and older.
CVE-2026-28388 "NULL Pointer Dereference When Processing a Delta CRL
Severity: Low
IMPACTED: 1.0.2 - 1.0.2zo
REMEDIATED: 1.0.2zp
CVE-2026-28389 "Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo"
Severity: Low
IMPACTED: 1.0.2 - 1.0.2zo
REMEDIATED: 1.0.2zp
CVE-2026-28390 "Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo"
Severity: Low
IMPACTED: 1.0.2 - 1.0.2zo
REMEDIATED: 1.0.
Resolution
Upgrade OpenSSL on Siteminder Access Gateway servers to OpenSSL 1.0.2zo on r12.8.8.1 and Older Access Gateway Servers Only. Siteminder Access Gateway r12.9 uses OpenSSL 3.x.
Verifying the OpenSSL version on Siteminder Access Gateway
###### UPGRADE INSTRUCTIONS ######
Upgrade to OpenSSL 1.0.2zp on Linux
1) Copy "Openssl_1.0.2zp_linux.zip" to the Access Gateway Server
2) Unzip "Openssl_1.0.2zp_linux.zip"
Unzip Openssl_1.0.2zp_linux.zip
3) Stop the Access Gateway Server.
4) Navigate to the '<InstallDir>/CA/secure-proxy/' directory.
5) Note the permissions on the contents of the '<InstallDir>/CA/secure-proxy/SSL/bin' directory.
6) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/bin' directory, or the following files:
<InstallDir>/CA/secure-proxy/SSL/bin/openssl
7) Copy the contents of the '/Openssl_1.0.2zp_linux/bin/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/bin/' directory.
CONTENTS: openssl
EXAMPLE: cp -r /Openssl_1.0.2zp_linux/Openssl102zp/bin/* /<InstallDir>/CA/secure-proxy/SSL/bin/
NOTE: Do not copy and overwrite the entire /bin folder. Only copy the files to /<InstallDir>/CA/secure-proxy/SSL/bin/
8) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/lib/' directory, or the following files:
<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so
<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so.1.0.0
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so.1.0.0
9) Copy the contents of the '/Openssl_1.0.2zp_linux/Openssl102zp/lib/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/lib/' directory.
CONTENTS:
libcrypto.so
libcrypto.so.1.0.0
libssl.so
libssl.so.1.0.0
EXAMPLE: cp -r /Openssl_1.0.2zp_linux/SSL/lib/* ./<InstallDir>/CA/secure-proxy/SSL/lib/
NOTE: Do not copy and overwrite the entire /bin folder. Only copy the files to /<InstallDir>/CA/secure-proxy/SSL/bin/
10) Re-set the permissions on the copied files.
11) Re-source the environment variables;
. ./ca_sps_env.sh
13) Re-start the Access Gateway.
./proxy-engine/sps-ctl start
Upgrade to OpenSSL 1.0.2zp on Windows
1) Copy "Openssl_1.0.2zp_windows.zip" to the Access Gateway Server
2) Unzip "Openssl_1.0.2zp_windows.zip"
3) Stop the Access Gateway server
4) Browse to the "<Install_Dir>\CA\secure-proxy\SSL\bin\" directory in Access Gateway
Default: <Install_Dir> = C:\Program Files\
5) Back-up either the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory, or the following files:
<Install_Dir>\CA\secure-proxy\SSL\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\SSL\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\SSL\bin\ssleay32.dll
6) Copy the contents of '\Openssl_1.0.2zp_windows\Openssl102zp_win64\' folder to the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory.
CONTENTS:
openssl.exe
libeay32.dll
ssleay32.dll
7) Back-up either the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory, or the following files:
<Install_Dir>\CA\secure-proxy\httpd\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\httpd\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\httpd\bin\ssleay32.dll
8) Copy the contents of '\Openssl_1.0.2zp_windows\Openssl102zp_win64\' folder to the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory.
CONTENTS:
openssl.exe
libeay32.dll
ssleay32.dll
9) Start the Access Gateway server
Additional Information
Verifying the OpenSSL version on Siteminder Access Gateway
OpenSSL 1.0.2zp remediates the following CVE's:
CVE-2026-28388
CVE-2026-28389
CVE-2026-28390
CVE-2026-68160
CVE-2025-69421
CVE-2025-22796
CVE-2025-9230
CVE-2024-13176
CVE-2024-9143
CVE-2024-5535
CVE-2024-0727
CVE-2023-5678
CVE-2023-3817
CVE-2023-3446
CVE-2023-2650
CVE-2023-0465
CVE-2023-0464
CVE-2023-0466
CVE-2022-4304
CVE-2023-0215
CVE-2023-0286
Attachments
Feedback
