Headline
CVE-2023-23837: DPA 2023.2 Release Notes
No exception handling vulnerability which revealed sensitive or excessive information to users.
Release date: April 18, 2023
These release notes describe the new features, improvements, and fixed issues in Database Performance Analyzer 2023.2. They also provide information about upgrades and describe workarounds for known issues.
Learn more
- For information on the latest hotfixes, see DPA hotfixes.
- For information about requirements, see DPA system requirements.
- For information about working with DPA, see the DPA Administrator Guide.
New features and improvements in DPA
Return to top
DPA 2023.2 includes the following changes.
Additions to systems requirements and monitored instances
Category
Vender and version
Repository database
Amazon RDS for MySQL 8.0
Monitored database instances
EDB Postgres 14
For more information, see the DPA 2023.2 system requirements and Database instances DPA can monitor.
Security enhancements
DPA 2023.2 includes security enhancements, including:
HTTPS connections are now required.
To improve security, DPA 2023.2 accepts only HTTPS connections. Any attempts to connect using the HTTP connector port are automatically redirected to the HTTPS connector port.
If you are upgrading from a previous version, please complete the tasks under Before you upgrade to ensure that all users can access DPA and that DPA Central can connect to all DPA servers.
Tomcat and MS JDBC Driver are upgraded.
DPA now includes Tomcat 8.5.85 and MS JDBC Driver 12.2.0.
Support for SAML authentication with Azure AD as the identity provider
To configure DPA to use SAML authentication with Azure AD as the identity provider, see this topic.
Fixed issues
Return to top
DPA 2023.2 fixes the following issues.
Case number
Description
01206958, 01245439, 01265950
When DPA is monitoring a database instance on a VM with a large number of disks, the vSphere cleaner job runs as expected and cleans VM disk metrics for each granularity (seconds, 10 minutes, hours, days). This job removes old data from the DPA repository database, which prevents the repository from growing at a high rate and consuming excessive space and memory on the repository server.
01190371
Monitoring a Sybase database instance no longer fails with the error Monitor attempting to start - see log.
00960237
Monitoring an Oracle database instance no longer fails with the error Monitor for database [DB_name] failed in job [TextPollJob] due to [Underlying datasource has not been set.].
01200056
Configuring an Azure SQL DB repository database no longer fails because of missing properties. DPA automatically adds the required JDBC URL properties in the Advanced Connection Properties dialog box.
01105926, 01183265, 01225013, 01234101, 01241730
Health, connection status, and other data about monitored SQL Server Availability Groups (AGs) is updated as expected in the Availability Group Summary view.
01256667
When you are registering a database instance for monitoring and the com.confio.ignite.jdbc.sqlserver.useJtdsDriver property value is set to true in the system.properties file, DPA honors this setting and uses the jTDS JDBC driver.
01235456
DPA sorts index advisors based on the estimated time savings, listing advisors with the largest estimated savings first.
01179091, 01235460
DPA index advisors no longer display estimates savings percentages that are greater than 100%. When DPA detects that information from the database vendor is inconsistent, DPA displays 'Unknown’. For more information, see this KB article.
01183457, 01191341, 01194479, 01217066, 01311041
DPA index analysis no longer fails with errors such as Unable to run index analysis or Out of range value for column ‘CARDINALITY’ in the logs, and it no longer shows no recommendation when the table advisor recommends indexes.
01174998, 01179091
This release fixes an issue that caused DPA index advisors to recommend creating indexes that already existed or to create indexes that included table columns that did not exist.
01181748
DPA index analysis recommendations are no longer displayed one day and then missing the next even though the recommended indexes were not created.
01142556, 01166969, 01172735, 01273937
When deadlock alerts occur, DPA lists the deadlocks on the Deadlocks tab.
SolarWinds CVEs
CVE-ID
Vulnerability Title
Description
Severity
CVE-2023-23837
No Exception Handling Vulnerability
No exception handling vulnerability which revealed sensitive or excessive information to users.
Medium
CVE-2023-23838
Directory traversal and file enumeration vulnerability
Directory traversal and file enumeration vulnerability which allowed users to enumerate to different folders of the server.
Medium
Third-party CVEs
SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.
CVE-ID
Vulnerability Title
Description
Severity
CVE-2020-26870
URL redirection vulnerability
Due to vulnerable Swagger UI version 3.27.0, URL redirection was possible, which can help attackers modify a URL and redirect a user to any other malicious site.
High
New customer installation
Return to top
For information about installing DPA, see the DPA Installation and Upgrade Guide. You can download a free trial from the SolarWinds website.
Before you upgrade!
DPA 2023.2 includes fixes that might require changes to your DPA deployment. Before you upgrade, determine if you need to make the following changes:
If any users access DPA using HTTP (instead of HTTPS), redirect connection attempts that use the HTTP connector port.
If DPA Central is configured to access any DPA servers using HTTP, update the connection definitions.
If you monitor Db2 instances, update the permissions of the DPA monitoring user for each Db2 instance.
You can make these changes either before or after an upgrade. However, to ensure DPA availability and to avoid any gaps in monitoring Db2 instances, SolarWinds recommends making them before you upgrade to 2023.2.
Redirect connection attempts that use the HTTP connector port
To ensure that DPA is available to users who previously connected over HTTP, update the server.xml file to redirect traffic to the HTTP connector port (8123 by default) to the HTTPS/SSL connector port (8124 by default).
If the redirect is not added and users attempt to connect over HTTP after the upgrade, they will receive a message that the site can’t be reached.
Open the following file in a text editor:
DPA-install-dir\iwc\tomcat\conf\server.xml
Locate the Connector property below <!–HTTPS/SSL connector>, and note the port value. (By default, this is 8124.)
Locate the Connector property below <!–HTTP connector>. Within the Connector property, add the following, where hpptsPortNumber is the port value noted in the previous step:
redirectPort="hpptsPortNumber"
For example:
redirectPort="8124"
If you make these changes after the upgrade, restart DPA for the changes to take effect.
Update DPA Central connections to DPA servers
If you use DPA Central, ensure that it is configured to connect to all DPA servers over HTTPS.
Determine if DPA Central is configured to connect to any DPA servers over HTTP:
From the DPA menu in the upper-right corner, click Central.
Click Manage Central.
Verify that every server has a lock in the SSL column. If a server’s SSL column does not display a lock, DPA Central is configured to connect to that server over HTTP.
If one or more servers are configured to use HTTP, update each server’s connection properties:
In the Registered Servers list, click the server’s display name to open the Edit Server dialog.
Change the Port value to the port used for HTTPS connections (8124 by default).
Select SSL.
Click Save.
Update the permissions of the DPA monitoring user for each Db2 instance
DPA 2023.2 replaces six of the deprecated SNAP* functions that previous DPA versions used to monitor Db2 database instances. Because of this change, the DPA monitoring user requires additional privileges to monitor a Db2 instance. In addition to SYSADM permissions, the user requires EXECUTE privileges on certain tables. To monitor Db2 instances with DPA 2023.2 and later versions, modify the monitoring user’s permission on each Db2 instance.
The required permissions can be granted in Db2 10.1 and later. DPA does not support monitoring earlier versions of Db2.
Run the following commands to grant the DPA monitoring user EXECUTE privileges on the required tables:
grant execute on function SYSPROC.MON_GET_DATABASE to userName; grant execute on function SYSPROC.MON_SAMPLE_WORKLOAD_METRICS to userName; grant execute on function SYSPROC.MON_GET_ACTIVITY to <USER_NAME>; grant execute on function SYSPROC.MON_GET_BUFFERPOOL to <USER_NAME>; grant execute on function SYSPROC.MON_GET_TABLESPACE to <USER_NAME>; grant execute on function SYSPROC.MON_GET_TRANSACTION_LOG to <USER_NAME>;
To verify that the permissions were applied correctly, run the following command:
select substr(authid,1,20) as authid , authidtype , privilege , grantable , substr(objectschema,1,12) as objectschema , substr(objectname,1,30) as objectname , objecttype from sysibmadm.privileges where objectschema ='SYSPROC' AND AUTHID='<USER_NAME>';
How to upgrade
If you are upgrading from an earlier version, use the following resources to plan and implement your upgrade:
- Use the DPA Installation and Upgrade Guide to help you plan and execute your upgrade.
- When you are ready, download the upgrade package from the SolarWinds Customer Portal.
Known issues
Return to top
Intermittent connection issues when monitoring IBM Db2 instances
Issue
When DPA monitors IBM Db2 instances, DPA is sometimes unable to connect to the instances. This occurs because DPA uses SNAP* functions to collect information from Db2 instances, and these functions have been deprecated by IBM.
In 2023.2 release most of the deprecated functions have been migrated. Please upgrade to 2023.2 and refer the KB for required permissions to monitor db2 in DPA.
NOTE: Migration has not been fully done in 2023.2 release. would be released soon with next deliverables.
Resolution or Workaround
None.
DPA 2023.2 replaces six of the deprecated SNAP* functions used in earlier DPA versions. The remaining SNAP* functions will be replaced in an upcoming release.
Because of this change, when you upgrade to DPA 2023.2, you must update the permissions of the DPA monitoring user for each Db2 instance.
REST API does not work when you access DPA with SAML login credentials
Issue
If you access DPA with SAML login credentials and you generate a refresh token, the following message is displayed when you attempt to use that refresh token to access the REST API:
You are not authorized to perform this action. Contact your DPA administrator.
Resolution or Workaround
Access DPA with a local login when you generate the refresh token.
Importing an alert definition without the associated database assignment rule
Issue
In some situations, the log file shows the status of an imported alert definition as both Imported and Failed. This occurs when the alert definition uses a database assignment rule, but the rule was not imported and did not already exist on the server.
The two statuses indicate that the alert definition was imported but the attempt to associate the database assignment rule failed.
Resolution or Workaround
When you import an alert definition that uses a database assignment rule, either import the rule or ensure that it already exists on the server.
If you imported an alert definition and the associated rule is missing, you must edit the alert definition to specify the database instances. (You can specify instances by manually selecting them or by applying a rule.)
End of life
Return to top
Version
EoL Announcement
EoE Effective Date
EoL Effective Date
DPA 2022.2
April 18, 2023 End-of-Life (EoL) announcement - Customers on DPA version 2022.2 or earlier should begin transitioning to the latest version of DPA.
August 18, 2023 End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2022.2 or earlier will no longer actively be supported by SolarWinds.
April 18, 2024 End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2022.2 or earlier.
DPA 2022.1
January 18, 2023 End-of-Life (EoL) announcement - Customers on DPA version 2022.1 or earlier should begin transitioning to the latest version of DPA.
April 18, 2023 End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2022.1 or earlier will no longer actively be supported by SolarWinds.
April 18, 2024 End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2022.1 or earlier.
DPA 2021.3
October 18, 2022 End-of-Life (EoL) announcement - Customers on DPA version 2021.3 or earlier should begin transitioning to the latest version of DPA.
January 18, 2023 End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2021.3 or earlier will no longer actively be supported by SolarWinds.
January 18, 2024 End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2021.3 or earlier.
DPA 2021.1
October 18, 2022 End-of-Life (EoL) announcement - Customers on DPA version 2021.1 or earlier should begin transitioning to the latest version of DPA.
January 18, 2023 End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2021.1 or earlier will no longer actively be supported by SolarWinds.
January 18, 2024 End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2021.1 or earlier.
DPA 2020.2
October 18, 2022 End-of-Life (EoL) announcement - Customers on DPA version 2020.2 or earlier should begin transitioning to the latest version of DPA.
January 18, 2023 End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2020.2 or earlier will no longer actively be supported by SolarWinds.
January 18, 2024 End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2020.2 or earlier.
See the End of Life Policy for information about SolarWinds product life cycle phases. For supported versions and EoL announcements for all SolarWinds products, see Currently supported software versions.
Deprecation notices
Return to top
This version of Database Performance Analyzer deprecates the following platforms and features.
Deprecated platforms and features are still supported in the current release. However, they will be unsupported in a future release. Plan on upgrading deprecated platforms, and avoid using deprecated features.
Type
Details
DPA server OS
Installing DPA on a server with a Windows Server 2012 R2 operating system is still supported in 2023.2, but support will be removed in an upcoming release.
Legal notices
Return to top
© 2023 SolarWinds Worldwide, LLC. All rights reserved.
This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.
Related news
Directory traversal and file enumeration vulnerability which allowed users to enumerate to different folders of the server.
Wyse Management Suite 3.8 and below contain an improper access control vulnerability. A authenticated malicious admin user can edit general client policy for which the user is not authorized.
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically i...
Hi Folks, This month we are introducing a new data element for each CVE in the Security Update Guide, called Assigning CNA. First let me back up a bit and give some information about the CVE program. The purpose of a CVE is to uniquely identify a cybersecurity vulnerability. The CVE program was started back in 1999 and is funded by the US federal government, currently out of the Cybersecurity and Infrastructure Security Agency (CISA).