Support Content Notification - Support Portal

Critical CVE Vulnerability in the Network Security Services (NSS) library embedded in SiteMinder

Product/Component

CA Single Sign-On

1 more products

Notification Id

19970

Last Updated

27 December 2021

Initial Publication Date

27 December 2021

Dear Broadcom Customer:

The purpose of this Critical Alert is to inform you of a potential problem that has been recently identified with SiteMinder. Please read the information provided below and follow the instructions in order to avoid being impacted by this problem.

To: Symantec SiteMinder Customers
From: The SiteMinder Product Team
Subject: Critical CVE Vulnerability in Mozilla’s Network Security Services (NSS) library embedded in SiteMinder

A critical CVE, CVE-2021-43527 (https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/ ) has been identified that affects NSS versions prior to 3.73 or 3.68.1 ESR and is caused by a heap overflow when verifying digital signatures such as DSA and RSA-PSS algorithms that are encoded using the DER binary format. The defect can be exploited to crash a vulnerable application and potentially execute arbitrary code.

The SiteMinder Policy Server embeds Mozilla’s NSS library for digital signature validation when communicating with LDAP servers when those servers are acting as a user store, key store, policy store, or session store.

This vulnerability does not impact SiteMinder when communicating with LDAP servers acting as external Administrator account stores. Also, this vulnerability does not impact SiteMinder when communicated with databases.

All versions of SiteMinder Policy Servers are impacted. Patches, with instructions for applying the patches, for versions of the SiteMinder Policy Server that are within their mainstream support period (12.8.0 or higher) and on current operating systems can be obtained by downloading solution #99111311 from this location:

CA Single Sign-On Hotfix/Cumulative Release Index - CA Technologies

or by contacting Broadcom customer support.

If you have any questions or require assistance, please contact Customer Support at +1-800-225-5224 in North America or see https://support.broadcom.com/contact-support.html for the local number in your country.

Your success is very important to us, and we look forward to continuing our successful partnership with you.

Sincerely, SiteMinder Management team