Headline
CVE-2022-36966: SolarWinds Platform 2022.4 Release Notes
Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous.
SolarWinds Platform RC documentation - The following content is a draft for a SolarWinds Platform Release Candidate. All content subject to change. Some links might not function yet.
RC date: October 19, 2022
These release notes describe the new features, improvements, and fixed issues in SolarWinds Platform 2022.4. They also provide information about upgrades and describe workarounds for known issues.
Learn more
- For information on latest hotfixes, see SolarWinds Platform Hotfixes.
- For release notes for previous SolarWinds Platform versions, see Previous Version documentation.
- For information about requirements, see SolarWinds Platform 2022.4 System Requirements.
- For information about working with the SolarWinds Platform, see the SolarWinds Platform Administrator Guide.
New features and improvements in SolarWinds Platform
Return to top
SolarWinds Platform 2022.4 offers the following improvements compared to previous releases of SolarWinds Platform.
SolarWinds Platform 2022.4 provides SWIS Verbs for managing common credentials, such as Orion.Credential.CreateCredentials & Orion.Credential.UpdateCredentials for creating/editing the credentials.
SolarWinds Platform 2022.4 supports the Kerberos protocol for WMI authentication.
New customer installation
Return to top
For information about installing SolarWinds Platform, see SolarWinds Installer.
How to upgrade
Use the SolarWinds Installer to upgrade your entire SolarWinds Platform deployment (all SolarWinds Platform products and any scalability engines) to the current versions.
You must be on Orion Platform 2020.2.1 or later to upgrade to SolarWinds Platform 2022.4. If you are on Orion Platform 2019.4 or earlier, first upgrade to 2020.2.6 and then upgrade to SolarWinds Platform 2022.4.
Before you upgrade from 2020.2.x
Before upgrading from Orion Platform 2020.2.6 and earlier to SolarWinds Platform 2022.3 or later, make sure the database user you use to connect to your SQL Server has the db create privilege. Without this privilege, the upgrade will not complete.
Legacy syslog and traps functionality has been retired and replaced with new log analysis functionality. Currently configured legacy rules and history will automatically be migrated during the upgrade.
Some upgrade situations from the Orion Platform to the SolarWinds Platform are not supported and the installer will stop the upgrade automatically.
- If you have a SQL Server older than 2016.
- If you have an Orion Platform product version 2019.4 or earlier.
Fixed issues
Return to top
SolarWinds Platform 2022.3 fixes the following issues.
Case Number
Description
614891, 787724, 980418, 986820
The issue where last month data was not interpreted correctly in PerfStack was addressed.
614233, 762559, 804478, 837222, 899624, 920603, 933885, 942223, 1059644, 1169810, 1171661, 1179118
The issue where report schedules with SAML accounts could not be created was addressed.
683517, 875616
The issue where Centralized Upgrade did not work with a proxy was resolved.
1067814, 1151313
The issue where the child status participation in node status was incorrect in fast polls was addressed.
936171, 946582, 1067460, 1131341
The issues with bulk assigning values on filtered rows were addressed.
802569
The issue where JobEngine Workers started slowly on computers without Internet access was addressed.
1144845, 1161775
The issue where configuration failed when installation location changed was addressed.
233154, 319006, 328477, 458287, 688246
The issues with CredentialManagerService slow methods were addressed.
778743
The issue where a Nexus switch was incorrectly recognized as Cisco was addressed.
973342, 977343
The issue where machine types for Cisco devices were only recognized as Cisco was addressed.
1102730
The issue where child status was not updated properly was addressed.
949509
The issue where collector log was flooded when processing Agent Node uptime was addressed.
761222
The unhandled exception in the Poller Checker tool was addressed.
1187140
The issue where the HA service stopped after the upgrade was addressed.
1187140
The issue where Observability templates were not delivered to the system was addressed.
636868
The issue where database maintenance failed to execute a procedure were addressed.
1144505
The issue where database maintenance job completed with errors caused by calling a legacy procedure was addressed.
928393
The issues with OIDs for Antaira Technologies, LLC and corresponding icons were addressed.
554483, 692820
The issue where main poller was used on bulk actions from Node Management for sending any requests to nodes was addressed.
893718
The issue where capacity forecast for CPU/memory was not calculated was addressed.
1184046
The issue where scalability engines installation failed because of a free tool installed in the SolarWinds folder was addressed.
CVEs
SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.
CVE-ID
Vulnerability Title
Description
Severity
Credit
CVE-2022-36966
Insecure Direct Object Reference Vulnerability
Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3.
5.9 Medium
Asim Liaquat
CVE-2022-36957
SolarWinds Platform Deserialization of Untrusted Data
This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands on the Main Poller of affected versions of the SolarWinds Platform.
7.2 High
Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative
CVE-2022-36958
SolarWinds Platform Deserialization of Untrusted Data
This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands on the Main Poller of affected versions of the SolarWinds Platform.
8.8 High
Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative
CVE-2022-38108
SolarWinds Platform Deserialization of Untrusted Data
This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands on the Main Poller of affected versions of the SolarWinds Platform.
7.2 High
Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative
End of life
Return to top
For modules based on Orion Platform 2020.2.6 and earlier, SolarWinds is announcing future end-of-life plans for your convenience. As always, SolarWinds recommends you upgrade to the latest version of your products at your earliest convenience.
Version
EOL Announcements
EOE Effective Dates
EOL Effective Dates
2020.2.6
April 18, 2023: End-of-Life (EoL) announcement – Customers on SolarWinds Platform 2020.2.6 should begin transitioning to the latest version of SolarWinds Platform.
May 18, 2023: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2.6 will no longer be actively supported by SolarWinds.
May 18, 2024: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.6
2020.2.5
January 18, 2023: End-of-Life (EoL) announcement – Customers on SolarWinds Platform 2020.2.5 should begin transitioning to the latest version of SolarWinds Platform.
February 17, 2023: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2.5 will no longer be actively supported by SolarWinds.
February 17, 2024: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.5.
2020.2.4
October 19, 2022: End-of-Life (EoL) announcement – Customers on SolarWinds Platform 2020.2.4 should begin transitioning to the latest version of SolarWinds Platform.
November 18, 2022: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2.4 will no longer be actively supported by SolarWinds.
November 18, 2023: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.4.
2020.2.1
October 19, 2022: End-of-Life (EoL) announcement – Customers on SolarWinds Platform 2020.2.1 should begin transitioning to the latest version of SolarWinds Platform.
November 18, 2022: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2.1 will no longer be actively supported by SolarWinds.
November 18, 2023: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.1.
2020.2
October 19, 2022: End-of-Life (EoL) announcement – Customers on NSolarWinds Platform 2020.2 should begin transitioning to the latest version of SolarWinds Platform.
November 18, 2022: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2 will no longer be actively supported by SolarWinds.
November 18, 2023: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.
See the End of Life Policy for information about SolarWinds product lifecycle phases. For supported versions and EoL announcements for all SolarWinds products, see Currently supported software versions.
End of support
Return to top
This version of SolarWinds Platform no longer supports the following platforms and features.
Type
Details
Microsoft Windows Server 2012 R2
Windows Server 2012 R2 is not supported in SolarWinds Platform 2022.4.
SolarWinds recommends that you upgrade the operating system of your SolarWinds Platform server to Windows Server 2016 or later. See SolarWinds Platform 2022.4 System Requirements.
Legal notices
Return to top
© 2022 SolarWinds Worldwide, LLC. All rights reserved.
This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.
Related news
The SolarWinds Information Service (SWIS) is vulnerable to remote code execution by way of a crafted message received through the AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.