Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36966: SolarWinds Platform 2022.4 Release Notes

Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous.

CVE
#sql#vulnerability#web#mac#windows#microsoft#cisco#perl#auth#zero_day

SolarWinds Platform RC documentation - The following content is a draft for a SolarWinds Platform Release Candidate. All content subject to change. Some links might not function yet.

RC date: October 19, 2022

These release notes describe the new features, improvements, and fixed issues in SolarWinds Platform 2022.4. They also provide information about upgrades and describe workarounds for known issues.

Learn more

  • For information on latest hotfixes, see SolarWinds Platform Hotfixes.
  • For release notes for previous SolarWinds Platform versions, see Previous Version documentation.
  • For information about requirements, see SolarWinds Platform 2022.4 System Requirements.
  • For information about working with the SolarWinds Platform, see the SolarWinds Platform Administrator Guide.

New features and improvements in SolarWinds Platform

Return to top

SolarWinds Platform 2022.4 offers the following improvements compared to previous releases of SolarWinds Platform.

  • SolarWinds Platform 2022.4 provides SWIS Verbs for managing common credentials, such as Orion.Credential.CreateCredentials & Orion.Credential.UpdateCredentials for creating/editing the credentials.

  • SolarWinds Platform 2022.4 supports the Kerberos protocol for WMI authentication.

New customer installation

Return to top

For information about installing SolarWinds Platform, see SolarWinds Installer.

How to upgrade

Use the SolarWinds Installer to upgrade your entire SolarWinds Platform deployment (all SolarWinds Platform products and any scalability engines) to the current versions.

You must be on Orion Platform 2020.2.1 or later to upgrade to SolarWinds Platform 2022.4. If you are on Orion Platform 2019.4 or earlier, first upgrade to 2020.2.6 and then upgrade to SolarWinds Platform 2022.4.

Before you upgrade from 2020.2.x

  • Before upgrading from Orion Platform 2020.2.6 and earlier to SolarWinds Platform 2022.3 or later, make sure the database user you use to connect to your SQL Server has the db create privilege. Without this privilege, the upgrade will not complete.

  • Legacy syslog and traps functionality has been retired and replaced with new log analysis functionality. Currently configured legacy rules and history will automatically be migrated during the upgrade.

  • Some upgrade situations from the Orion Platform to the SolarWinds Platform are not supported and the installer will stop the upgrade automatically.

    • If you have a SQL Server older than 2016.
    • If you have an Orion Platform product version 2019.4 or earlier.

Fixed issues

Return to top

SolarWinds Platform 2022.3 fixes the following issues.

Case Number

Description

614891, 787724, 980418, 986820

The issue where last month data was not interpreted correctly in PerfStack was addressed.

614233, 762559, 804478, 837222, 899624, 920603, 933885, 942223, 1059644, 1169810, 1171661, 1179118

The issue where report schedules with SAML accounts could not be created was addressed.

683517, 875616

The issue where Centralized Upgrade did not work with a proxy was resolved.

1067814, 1151313

The issue where the child status participation in node status was incorrect in fast polls was addressed.

936171, 946582, 1067460, 1131341

The issues with bulk assigning values on filtered rows were addressed.

802569

The issue where JobEngine Workers started slowly on computers without Internet access was addressed.

1144845, 1161775

The issue where configuration failed when installation location changed was addressed.

233154, 319006, 328477, 458287, 688246

The issues with CredentialManagerService slow methods were addressed.

778743

The issue where a Nexus switch was incorrectly recognized as Cisco was addressed.

973342, 977343

The issue where machine types for Cisco devices were only recognized as Cisco was addressed.

1102730

The issue where child status was not updated properly was addressed.

949509

The issue where collector log was flooded when processing Agent Node uptime was addressed.

761222

The unhandled exception in the Poller Checker tool was addressed.

1187140

The issue where the HA service stopped after the upgrade was addressed.

1187140

The issue where Observability templates were not delivered to the system was addressed.

636868

The issue where database maintenance failed to execute a procedure were addressed.

1144505

The issue where database maintenance job completed with errors caused by calling a legacy procedure was addressed.

928393

The issues with OIDs for Antaira Technologies, LLC and corresponding icons were addressed.

554483, 692820

The issue where main poller was used on bulk actions from Node Management for sending any requests to nodes was addressed.

893718

The issue where capacity forecast for CPU/memory was not calculated was addressed.

1184046

The issue where scalability engines installation failed because of a free tool installed in the SolarWinds folder was addressed.

CVEs

SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

CVE-ID

Vulnerability Title

Description

Severity

Credit

CVE-2022-36966

Insecure Direct Object Reference Vulnerability

Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3.

5.9 Medium

Asim Liaquat

CVE-2022-36957

SolarWinds Platform Deserialization of Untrusted Data

This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands on the Main Poller of affected versions of the SolarWinds Platform.

7.2 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2022-36958

SolarWinds Platform Deserialization of Untrusted Data

This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands on the Main Poller of affected versions of the SolarWinds Platform.

8.8 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2022-38108

SolarWinds Platform Deserialization of Untrusted Data

This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands on the Main Poller of affected versions of the SolarWinds Platform.

7.2 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

End of life

Return to top

For modules based on Orion Platform 2020.2.6 and earlier, SolarWinds is announcing future end-of-life plans for your convenience. As always, SolarWinds recommends you upgrade to the latest version of your products at your earliest convenience.

Version

EOL Announcements

EOE Effective Dates

EOL Effective Dates

2020.2.6

April 18, 2023: End-of-Life (EoL) announcement – Customers on SolarWinds Platform 2020.2.6 should begin transitioning to the latest version of SolarWinds Platform.

May 18, 2023: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2.6 will no longer be actively supported by SolarWinds.

May 18, 2024: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.6

2020.2.5

January 18, 2023: End-of-Life (EoL) announcement – Customers on SolarWinds Platform 2020.2.5 should begin transitioning to the latest version of SolarWinds Platform.

February 17, 2023: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2.5 will no longer be actively supported by SolarWinds.

February 17, 2024: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.5.

2020.2.4

October 19, 2022: End-of-Life (EoL) announcement – Customers on SolarWinds Platform 2020.2.4 should begin transitioning to the latest version of SolarWinds Platform.

November 18, 2022: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2.4 will no longer be actively supported by SolarWinds.

November 18, 2023: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.4.

2020.2.1

October 19, 2022: End-of-Life (EoL) announcement – Customers on SolarWinds Platform 2020.2.1 should begin transitioning to the latest version of SolarWinds Platform.

November 18, 2022: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2.1 will no longer be actively supported by SolarWinds.

November 18, 2023: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.1.

2020.2

October 19, 2022: End-of-Life (EoL) announcement – Customers on NSolarWinds Platform 2020.2 should begin transitioning to the latest version of SolarWinds Platform.

November 18, 2022: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2 will no longer be actively supported by SolarWinds.

November 18, 2023: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.

See the End of Life Policy for information about SolarWinds product lifecycle phases. For supported versions and EoL announcements for all SolarWinds products, see Currently supported software versions.

End of support

Return to top

This version of SolarWinds Platform no longer supports the following platforms and features.

Type

Details

Microsoft Windows Server 2012 R2

Windows Server 2012 R2 is not supported in SolarWinds Platform 2022.4.

SolarWinds recommends that you upgrade the operating system of your SolarWinds Platform server to Windows Server 2016 or later. See SolarWinds Platform 2022.4 System Requirements.

Legal notices

Return to top

© 2022 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

Related news

SolarWinds Information Service (SWIS) Remote Command Execution

The SolarWinds Information Service (SWIS) is vulnerable to remote code execution by way of a crafted message received through the AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.

CVE-2022-38108: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-36958: SolarWinds Trust Center Security Advisories | CVE-2022-36958

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-36957: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907