Vulnerability in CAPKI 6.0.2 and older on Siteminder Access Gateway Server 12.9
Article ID: 441155
Updated On:
Products
Issue/Introduction
A security scan may return a flag for the following files on the 12.9 Siteminder Access Gateway Server:
LINUX
/<Install_Dir>/CA/secure-proxy/agentframework/CAPKI/CAPKI5/Linux/amd64/64/lib/libcaopenssl_ssl.so
/<Install_Dir>/CA/secure-proxy/agentframework/CAPKI/CAPKI5/Linux/amd64/64/lib/libcaopenssl_crypto.so
WINDOWS
/<Install_Dir>\CA\secure-proxy\agentframework\ETPKI\CAPKI\CAPKI6\Windows\amd64\64\lib\libcaopenssl_ssl.dll
/<Install_Dir>\CA\secure-proxy\agentframework\ETPKI\CAPKI\CAPKI6\Windows\amd64\64\lib\libcaopenssl_crypto.dll
CAPKI (Previously known as ETPKI) is a C language-based Software Development Kit (SDK) that provides CA Development Community with features required to implement Information Security services in its products. CAPKI is a wrapper on OpenSSL which is robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
NOTE: Siteminder Access Gateway Server r12.8.8.1 uses CAPKI 5.2.x built on OpenSSL 1.0.2. For CAPKI on Access Gateway r12.8.8.1 and older, use the following KB:
KB 441109 Vulnerability in CAPKI 5.2.17 and older on Siteminder Policy Server r12.8.8.1 and older
Environment
PRODUCT: Symantec Siteminder
COMPONENT: Access Gateway Server
VERSION: 12.9 (Only)
OPERATING SYSTEM: Windows and Linux
Cause
CAPKI (Previously known as ETPKI) is a wrapper on OpenSSL. CAPKI 6.0.x is built with OpenSSL 3.0.x
The Siteminder Access Gateway Server ships with the following versions of CAPKI:
Siteminder Access Gateway Server 12.9 is shipped with CAPKI 6.0.1.0
CAPKI 6.0.2 and older are compiled with versions of OpenSSL 3.0.x which have vulnerabilities (CVE's) published.
Resolution
Upgrade CAPKI to CAPKI 6.0.3 on the Siteminder Access Gateway using this KB.
CAPKI 6.0.3 has been compiled with OpenSSL 3.0.20.
This solution applies to the following Siteminder Access Gateway Server versions:
- r12.9 ONLY
LINUX
1) Download "etpki-install_6_0_3_Openssl3_0_20_linux.zip" from this KB.
2) Copy "etpki-install_6_0_3_Openssl3_0_20_linux.zip" to the Siteminder Access Gateway Server on Linux and decompress it.
3) Stop the Access Gateway Server
4) Change to the following directory:
/<Install_Dir>/CA/secure-proxy/agentframework/
5) Backup the '/CAPKI/' directory by renaming it '/CAPKI.BAK'
mv CAPKI CAPKI.BAK
6) Copy the '/etpki-install/' directory from "etpki-install_6_0_3_Openssl3_0_20_linux.zip" to /<Install_Dir>/CA/secure-proxy/agentframework/
7) Change to the following directory*:
/<Install_Dir>/CA/SharedComponents/
* This directory may not exist in your system
8) (If Exists) Backup the '/CAPKI/' directory by renaming it '/CAPKI.BAK'
mv CAPKI CAPKI.BAK
9) Modify the $CAPKIHOME variable in the environment variable script:
/<Install_Dir>/CA/secure-proxy/ca_sps_env.sh
CAPKIHOME=/<Install_Dir>/CA/SharedComponents/CAPKI
export CAPKIHOME
10) Run the updated Access Gateway Environment variable script.
cd /<Install_Dir>/CA/secure-proxy/
. ./ca_sps_env.sh
11) Change to the following directory:
/<Install_Dir>/CA/secure-proxy/agentframework/etpki-install/redistrib/
12) Ensure the user has execute permissions on the installation media (setup)
13) Run the following command:
./setup install caller=sps12
NOTE: This will create a new '/<Install_Dir>/CA/SharedComponents/CAPKI/CAPKI5/' directory
14) Start the Access Gateway Server
15) Validate Access Gateway Server functionality
16) Delete the following files:
/<Install_Dir>/CA/secure-proxy/agentframework/CAPKI.BAK
(If Exists) /<Install_Dir>/CA/SharedComponents/CAPKI.BAK
WINDOWS
1) Download "etpki-install_6_0_3_OpenSSL3_0_20_win64.zip" from this KB.
2) Copy "etpki-install_6_0_3_OpenSSL3_0_20_win64.zip" to the Access Gateway Server on Windows and decompress it.
3) Stop the Access Gateway Server
4) Change to the following directory:
<Drive>:\<Install_Dir>\CA\secure-proxy\agentframework\ETPKI\
5) Backup the '\CAPKI\' directory by renaming it '\CAPKI.BAK\'
ren CAPKI CAPKI.BAK
6) Copy the '/etpki-install/' directory from "etpki-install_6_0_3_OpenSSL3_0_20_win64.zip" to <Drive>:\<Install_Dir>\CA\secure-proxy\agentframework\ETPKI\
7) Change to the following directory*:
<Drive>:\<Install_Dir>\CA\SC\
* This directory may not exist in your system
8) (If Exists) Backup the '<Drive>:\<Install_Dir>\CA\SC\CAPKI\' directory by renaming it '\CAPKI.BAK\'
ren CAPKI CAPKI.BAK
9) Open a command prompt using cmd.exe as an administrator (Run As Administrator)
10) Change to the following directory:
<Drive>:\<Install_Dir>\CA\secure-proxy\agentframework\ETPKI\\etpki-install\redistrib\
11) Run the following command:
setup.exe install caller=sps12
NOTE: This will create the following directories:
'<Drive>:\<Install_Dir>\CA\secure-proxy\agentframework\ETPKI\CAPKI\CAPKI6\Windows\amd64\64\
12) Start the Access Gateway Server
13) Validate Access Gateway Server functionality
14) Delete the following files:
<Drive>:\<Install_Dir>\CA\secure-proxy\agentframework\ETPKI\CAPKI.BAK
(If Exists) <Drive>:\<Install_Dir>\CA\SC\CAPKI.BAK
Additional Information
KB 441109 Vulnerability in CAPKI 5.2.17 and older on Siteminder Policy Server r12.8.8.1 and older
OpenSSL 3.0.20 within CAPKI 6.0.3 remediates the following CVE's:
CVE-2026-28387
CVE-2026-28388
CVE-2026-28389
CVE-2026-28390
CVE-2026-31789
CVE-2026-31790
CVE-2025-15467
CVE-2025-68160
CVE-2025-69418
CVE-2025-69419
CVE-2025-69420
CVE-2025-69421
CVE-2026-22795
CVE-2026-22796
CVE-2025-9230
CVE-2025-9232
Attachments
Feedback
