Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-38114: SEM 2022.4 Release Notes

This vulnerability occurs when a web server fails to correctly process the Content-Length of POST requests. This can lead to HTTP request smuggling or XSS.

CVE
#xss#vulnerability#web#mac#windows#debian#js#java#ldap#auth#firefox#ssl

Release Date: November 22, 2022

This document summarizes new features, improvements, and fixed issues in Security Event Manager (SEM) 2022.4, additional features, and upgrade notes and workarounds for known issues.

New in SEM 2022.4****Added features and improvements

  • Import and Export of Rules

    Administrators can export rules from SEM to a JSON file, and all users can import rules on the Configure > Rules page.

  • Export nodes

    All or selected node information can be exported as a CSV file on the Configure > Nodes page.

  • Improved Saved and Schedule Query options

    The Save and Schedule options are now consolidated under one menu.

  • Query Tags and Thresholds

    SEM 2022.4 introduces query tags and thresholds. These are used to group queries and determine the severity level and colors for two new dashboard widgets: Scheduled query severity, and Scheduled query table severity.

    To set the tags and thresholds for a query:

    1. Select the required query in the left column of Historical Events.
    2. Click Option and select Edit saved query.
    3. Click Add tag. Queries can be assigned one or more tags.
    4. Select the Thresholds tab. At least one tags must be added before you can set thresholds.
    5. Set the number of results per evaluation you want to indicate warning and critical severity.

    For more information about tags, thresholds and the scheduled event severity dashboard widgets, see Historical Events section of the SEM 2022.4 Administrator Guide.

  • HTTPS is permanently enabled

    The togglehttp command has been removed from the CMC manager options. If HTTP has been enabled prior to upgrading to 2022.4 it will be disabled.

  • Improved Remote Agent Installer credentials dialog

For system requirements, see SEM 2022.4 System Requirements.

If you are looking for previous release notes for SEM, see Previous Version documentation.

New customer installation

For information about installing SEM, see the SEM Installation Guide and the SEM Getting Started Guide.

SolarWinds advises that, as a best practice, the SEM appliance should not be set up to be available to the Internet or any public-facing network. In addition, using this practice will help prevent access by unauthorized users. For further information on SEM security, see the SEM security checklists.

Before you upgrade****Migrate LDAP connectors (introduced in SEM 2020.4)

It is recommended that users remove any ambiguity in their Directory Service Tool connector configurations to allow migration to run as smoothly as possible. This can be by ensuring only one Directory Service Tool connector configuration is set up per domain.

All Directory Service Tool connectors are removed in process of the migration.

Upgrade agents

For AIX, HPUX and Solaris, agents installers now only contain custom Java; this means customers need to install Java themselves as a prerequisite.

  1. Upgrade Java installation to the latest version. See System Requirements for supported versions.

    For AIX agents, see Known Issues - AIX agent not connected after SEM upgrade.

  2. Upgrade SEM agents using latest custom Java installer.

Upgrade Manager appliance

For Windows systems, upgrade the Manager appliance with OpenJDK 17.0.3 or later.

How to upgrade

If you are upgrading from a previous version, use the following resources to plan and implement your upgrade.

SEM must be upgraded to 2020.2 or 2020.2.1 before upgrading to 2022.4. To upgrade from earlier versions, see the SEM Upgrade Path to help you plan and execute your upgrade.

Download the upgrade package from the SolarWinds Customer Portal.

CMC

Since SEM 2020.4, a password is required to access the CMC command-line interface. The default CMC password is password. See Change the SEM CMC password for instructions on changing this.

File system consistency check (fsck)

During your upgrade, the system may run a fsck check during reboot. This can last 30 or more minutes depending on the quantity of data in the data partition. With the Debian version upgrade, the file system is configured to initiate the check when certain conditions are met:

  • 21 mounts since the last check (during the 22nd reboot)

Or:

  • Six months since the last check

Supported connectors

The list of currently supported connectors can be found here.

Fixed issues

SEM 2022.4 fixes the following issues:

Case Number

Description

01119251

Remote agent installation does not display credentials.

01087657, 01077235, 01098824

OpenJDK issue resolved.

01066283, 0106346

Windows agent issue after update resolved.

00686391, 00976672, 0721268

Issue fixed where agent was not sending logs.

00997061, 00815612, 00929072, 00667624, 00823710, 01083879

Issue where alert fired multiple times in specified timeframe instead of once resolved

SolarWinds CVEs

CVE-ID

Vulnerability Title

Description

Severity

Credit

CVE-2022-38113

Information Disclosure Vulnerability

This vulnerability discloses build and services versions in the server response header.

Low

CVE-2022-38114

Client Side Desync Vulnerability

This vulnerability occurs when a web server fails to correctly process the Content-Length of POST requests. This can lead to HTTP request smuggling or XSS.

Low

Ken Pyle CYBIR

CVE-2022-38115

Insecure Methods Vulnerability

Insecure method vulnerability in which , allowed HTTP methods are disclosed e.g., OPTIONS, DELETE, TRACE, and PUT

Low

SolarWinds would like to thank our Security Researchers for reporting on these issuse in a responsible manner and working with our security, product, and engineering teams to fix the vulnerabilities.

Third Party CVEs

CVE-ID

Vulnerability Title

Description

Severity

CVE-2009-2409

SHA-1 Collision Vulnerability

The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time.

The scope of this issue is currently limited because the amount of computation required is still large.

Medium

Known issues

In SEM Reports, problems occur setting schedule times in Spanish format

Issue: When the Spanish format has been selected in SEM Reports, user is unable to specify whether schedule times are AM or PM.

Resolution/Workaround: Set Format to English (World) when specifying schedule times.

USB Defender service stops working after local policy USB detached

Issue: When USB Defender with Local policy is set up. A USB device that is not on Local policy whitelist is inserted and successfully disconnect by USB Defender. However, when reinserted and successfully ejected once or more than ten times the service fails.

Resolution/Workaround: None.

[Rules builder] [Email templates] - Not possible to select Event Data in Email action for rule with single condition and occurrence settings

Issue: After selecting Send Email Message in a single condition event rule, and selecting an email template, you cannot select Event Data as value for the parameter.

Resolution/Workaround: The rule must be triggered by one event only.

  • Unable to install MacOS agent on BigSur

Issue: Unable to install the MacOS agent on BigSur.

Resolution/Workaround: Execute/start the customJava installer, kill it, and then execute the agent installer with bundled java.

  • “Set time when a rule won’t trigger actions after rule was true” not working

Issue: “Set time when a rule won’t trigger actions after rule was true” functionality in rules does not work.

Resolution/Workaround: None.

Version

EOL

Announcements

EOE Effective

dates

EOL Effective dates

6.7

May 18, 2021: End-of-Life (EoL) announcement – Customers on SEM versions 6.7, 6.7.1, and 6.7.2 should begin transitioning to the latest version of SEM.

August 18, 2021: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SEM versions 6.7, 6.7.1, and 6.7.2 will no longer be actively supported by SolarWinds.

August 18, 2022: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SEM version versions 6.7, 6.7.1, and 6.7.2.

2019.4

April 19, 2022: End-of-Life (EoL) announcement – Customers on SEM versions 2019.4, and 2019.4.1 should begin transitioning to the latest version of SEM.

October 19, 2022: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SEM versions 2019.4, and 2019.4.1 will no longer be actively supported by SolarWinds.

October 19, 2023: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SEM version versions 2019.4, and 2019.4.1.

2020.2

April 19, 2021: End-of-Life (EoL) announcement – Customers on SEM versions 2020.2, 2020.2.1 and 2020.2.2 should begin transitioning to the latest version of SEM.

October 19, 2022: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SEM versions 2020.2, 2020.2.1 and 2020.2.2 will no longer be actively supported by SolarWinds.

October 19, 2023: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SEM version versions 2020.2, 2020.2.1 and 2020.2.2.

2020.4

April 19, 2021: End-of-Life (EoL) announcement – Customers on SEM versions 2020.4, and 2020.4.1 should begin transitioning to the latest version of SEM.

October 19, 2022: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SEM versions 2020.4, and 2020.4.1 will no longer be actively supported by SolarWinds.

October 19, 2023: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SEM version versions 2020.4, and 2020.4.1.

Legal notices

© 2022 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

Related news

CVE-2022-38115: SolarWinds Trust Center Security Advisories | CVE-2022-38115

Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907