Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-23837: DPA 2023.2 Release Notes

No exception handling vulnerability which revealed sensitive or excessive information to users.

CVE
#sql#vulnerability#web#windows#amazon#oracle#auth#ibm#postgres#ssl

Release date: April 18, 2023

These release notes describe the new features, improvements, and fixed issues in Database Performance Analyzer 2023.2. They also provide information about upgrades and describe workarounds for known issues.

Learn more

  • For information on the latest hotfixes, see DPA hotfixes.
  • For information about requirements, see DPA system requirements.
  • For information about working with DPA, see the DPA Administrator Guide.

New features and improvements in DPA

Return to top

DPA 2023.2 includes the following changes.

Additions to systems requirements and monitored instances

Category

Vender and version

Repository database

Amazon RDS for MySQL 8.0

Monitored database instances

EDB Postgres 14

For more information, see the DPA 2023.2 system requirements and Database instances DPA can monitor.

Security enhancements

DPA 2023.2 includes security enhancements, including:

  • HTTPS connections are now required.

    To improve security, DPA 2023.2 accepts only HTTPS connections. Any attempts to connect using the HTTP connector port are automatically redirected to the HTTPS connector port.

    If you are upgrading from a previous version, please complete the tasks under Before you upgrade to ensure that all users can access DPA and that DPA Central can connect to all DPA servers.

  • Tomcat and MS JDBC Driver are upgraded.

    DPA now includes Tomcat 8.5.85 and MS JDBC Driver 12.2.0.

Support for SAML authentication with Azure AD as the identity provider

To configure DPA to use SAML authentication with Azure AD as the identity provider, see this topic.

Fixed issues

Return to top

DPA 2023.2 fixes the following issues.

Case number

Description

01206958, 01245439, 01265950

When DPA is monitoring a database instance on a VM with a large number of disks, the vSphere cleaner job runs as expected and cleans VM disk metrics for each granularity (seconds, 10 minutes, hours, days). This job removes old data from the DPA repository database, which prevents the repository from growing at a high rate and consuming excessive space and memory on the repository server.

01190371

Monitoring a Sybase database instance no longer fails with the error Monitor attempting to start - see log.

00960237

Monitoring an Oracle database instance no longer fails with the error Monitor for database [DB_name] failed in job [TextPollJob] due to [Underlying datasource has not been set.].

01200056

Configuring an Azure SQL DB repository database no longer fails because of missing properties. DPA automatically adds the required JDBC URL properties in the Advanced Connection Properties dialog box.

01105926, 01183265, 01225013, 01234101, 01241730

Health, connection status, and other data about monitored SQL Server Availability Groups (AGs) is updated as expected in the Availability Group Summary view.

01256667

When you are registering a database instance for monitoring and the com.confio.ignite.jdbc.sqlserver.useJtdsDriver property value is set to true in the system.properties file, DPA honors this setting and uses the jTDS JDBC driver.

01235456

DPA sorts index advisors based on the estimated time savings, listing advisors with the largest estimated savings first.

01179091, 01235460

DPA index advisors no longer display estimates savings percentages that are greater than 100%. When DPA detects that information from the database vendor is inconsistent, DPA displays 'Unknown’. For more information, see this KB article.

01183457, 01191341, 01194479, 01217066, 01311041

DPA index analysis no longer fails with errors such as Unable to run index analysis or Out of range value for column ‘CARDINALITY’ in the logs, and it no longer shows no recommendation when the table advisor recommends indexes.

01174998, 01179091

This release fixes an issue that caused DPA index advisors to recommend creating indexes that already existed or to create indexes that included table columns that did not exist.

01181748

DPA index analysis recommendations are no longer displayed one day and then missing the next even though the recommended indexes were not created.

01142556, 01166969, 01172735, 01273937

When deadlock alerts occur, DPA lists the deadlocks on the Deadlocks tab.

SolarWinds CVEs

CVE-ID

Vulnerability Title

Description

Severity

CVE-2023-23837

No Exception Handling Vulnerability

No exception handling vulnerability which revealed sensitive or excessive information to users.

Medium

CVE-2023-23838

Directory traversal and file enumeration vulnerability

Directory traversal and file enumeration vulnerability which allowed users to enumerate to different folders of the server.

Medium

Third-party CVEs

SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

CVE-ID

Vulnerability Title

Description

Severity

CVE-2020-26870

URL redirection vulnerability

Due to vulnerable Swagger UI version 3.27.0, URL redirection was possible, which can help attackers modify a URL and redirect a user to any other malicious site.

High

New customer installation

Return to top

For information about installing DPA, see the DPA Installation and Upgrade Guide. You can download a free trial from the SolarWinds website.

Before you upgrade!

DPA 2023.2 includes fixes that might require changes to your DPA deployment. Before you upgrade, determine if you need to make the following changes:

  • If any users access DPA using HTTP (instead of HTTPS), redirect connection attempts that use the HTTP connector port.

  • If DPA Central is configured to access any DPA servers using HTTP, update the connection definitions.

  • If you monitor Db2 instances, update the permissions of the DPA monitoring user for each Db2 instance.

You can make these changes either before or after an upgrade. However, to ensure DPA availability and to avoid any gaps in monitoring Db2 instances, SolarWinds recommends making them before you upgrade to 2023.2.

Redirect connection attempts that use the HTTP connector port

To ensure that DPA is available to users who previously connected over HTTP, update the server.xml file to redirect traffic to the HTTP connector port (8123 by default) to the HTTPS/SSL connector port (8124 by default).

If the redirect is not added and users attempt to connect over HTTP after the upgrade, they will receive a message that the site can’t be reached.

  1. Open the following file in a text editor:

    DPA-install-dir\iwc\tomcat\conf\server.xml

  2. Locate the Connector property below <!–HTTPS/SSL connector>, and note the port value. (By default, this is 8124.)

  3. Locate the Connector property below <!–HTTP connector>. Within the Connector property, add the following, where hpptsPortNumber is the port value noted in the previous step:

    redirectPort="hpptsPortNumber"

    For example:

    redirectPort="8124"

  4. If you make these changes after the upgrade, restart DPA for the changes to take effect.

Update DPA Central connections to DPA servers

If you use DPA Central, ensure that it is configured to connect to all DPA servers over HTTPS.

  1. Determine if DPA Central is configured to connect to any DPA servers over HTTP:

    1. From the DPA menu in the upper-right corner, click Central.

    2. Click Manage Central.

    3. Verify that every server has a lock in the SSL column. If a server’s SSL column does not display a lock, DPA Central is configured to connect to that server over HTTP.

  2. If one or more servers are configured to use HTTP, update each server’s connection properties:

    1. In the Registered Servers list, click the server’s display name to open the Edit Server dialog.

    2. Change the Port value to the port used for HTTPS connections (8124 by default).

    3. Select SSL.

    4. Click Save.

Update the permissions of the DPA monitoring user for each Db2 instance

DPA 2023.2 replaces six of the deprecated SNAP* functions that previous DPA versions used to monitor Db2 database instances. Because of this change, the DPA monitoring user requires additional privileges to monitor a Db2 instance. In addition to SYSADM permissions, the user requires EXECUTE privileges on certain tables. To monitor Db2 instances with DPA 2023.2 and later versions, modify the monitoring user’s permission on each Db2 instance.

The required permissions can be granted in Db2 10.1 and later. DPA does not support monitoring earlier versions of Db2.

  1. Run the following commands to grant the DPA monitoring user EXECUTE privileges on the required tables:

    grant execute on function SYSPROC.MON_GET_DATABASE to userName;
    grant execute on function SYSPROC.MON_SAMPLE_WORKLOAD_METRICS to userName;
    grant execute on function SYSPROC.MON_GET_ACTIVITY to <USER_NAME>;
    grant execute on function SYSPROC.MON_GET_BUFFERPOOL to <USER_NAME>;
    grant execute on function SYSPROC.MON_GET_TABLESPACE to <USER_NAME>;
    grant execute on function SYSPROC.MON_GET_TRANSACTION_LOG to <USER_NAME>;
    
  2. To verify that the permissions were applied correctly, run the following command:

    select substr(authid,1,20) as authid
        , authidtype
        , privilege
        , grantable
        , substr(objectschema,1,12) as objectschema
        , substr(objectname,1,30) as objectname
        , objecttype
    from sysibmadm.privileges
    where objectschema ='SYSPROC' AND AUTHID='<USER_NAME>';
    

How to upgrade

If you are upgrading from an earlier version, use the following resources to plan and implement your upgrade:

  • Use the DPA Installation and Upgrade Guide to help you plan and execute your upgrade.
  • When you are ready, download the upgrade package from the SolarWinds Customer Portal.

Known issues

Return to top

Intermittent connection issues when monitoring IBM Db2 instances

Issue

When DPA monitors IBM Db2 instances, DPA is sometimes unable to connect to the instances. This occurs because DPA uses SNAP* functions to collect information from Db2 instances, and these functions have been deprecated by IBM.

In 2023.2 release most of the deprecated functions have been migrated. Please upgrade to 2023.2 and refer the KB for required permissions to monitor db2 in DPA.

NOTE: Migration has not been fully done in 2023.2 release. would be released soon with next deliverables.

Resolution or Workaround

None.

DPA 2023.2 replaces six of the deprecated SNAP* functions used in earlier DPA versions. The remaining SNAP* functions will be replaced in an upcoming release.

Because of this change, when you upgrade to DPA 2023.2, you must update the permissions of the DPA monitoring user for each Db2 instance.

REST API does not work when you access DPA with SAML login credentials

Issue

If you access DPA with SAML login credentials and you generate a refresh token, the following message is displayed when you attempt to use that refresh token to access the REST API:

You are not authorized to perform this action. Contact your DPA administrator.

Resolution or Workaround

Access DPA with a local login when you generate the refresh token.

Importing an alert definition without the associated database assignment rule

Issue

In some situations, the log file shows the status of an imported alert definition as both Imported and Failed. This occurs when the alert definition uses a database assignment rule, but the rule was not imported and did not already exist on the server.

The two statuses indicate that the alert definition was imported but the attempt to associate the database assignment rule failed.

Resolution or Workaround

When you import an alert definition that uses a database assignment rule, either import the rule or ensure that it already exists on the server.

If you imported an alert definition and the associated rule is missing, you must edit the alert definition to specify the database instances. (You can specify instances by manually selecting them or by applying a rule.)

End of life

Return to top

Version

EoL Announcement

EoE Effective Date

EoL Effective Date

DPA 2022.2

April 18, 2023 End-of-Life (EoL) announcement - Customers on DPA version 2022.2 or earlier should begin transitioning to the latest version of DPA.

August 18, 2023 End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2022.2 or earlier will no longer actively be supported by SolarWinds.

April 18, 2024 End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2022.2 or earlier.

DPA 2022.1

January 18, 2023 End-of-Life (EoL) announcement - Customers on DPA version 2022.1 or earlier should begin transitioning to the latest version of DPA.

April 18, 2023 End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2022.1 or earlier will no longer actively be supported by SolarWinds.

April 18, 2024 End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2022.1 or earlier.

DPA 2021.3

October 18, 2022 End-of-Life (EoL) announcement - Customers on DPA version 2021.3 or earlier should begin transitioning to the latest version of DPA.

January 18, 2023 End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2021.3 or earlier will no longer actively be supported by SolarWinds.

January 18, 2024 End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2021.3 or earlier.

DPA 2021.1

October 18, 2022 End-of-Life (EoL) announcement - Customers on DPA version 2021.1 or earlier should begin transitioning to the latest version of DPA.

January 18, 2023 End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2021.1 or earlier will no longer actively be supported by SolarWinds.

January 18, 2024 End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2021.1 or earlier.

DPA 2020.2

October 18, 2022 End-of-Life (EoL) announcement - Customers on DPA version 2020.2 or earlier should begin transitioning to the latest version of DPA.

January 18, 2023 End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2020.2 or earlier will no longer actively be supported by SolarWinds.

January 18, 2024 End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2020.2 or earlier.

See the End of Life Policy for information about SolarWinds product life cycle phases. For supported versions and EoL announcements for all SolarWinds products, see Currently supported software versions.

Deprecation notices

Return to top

This version of Database Performance Analyzer deprecates the following platforms and features.

Deprecated platforms and features are still supported in the current release. However, they will be unsupported in a future release. Plan on upgrading deprecated platforms, and avoid using deprecated features.

Type

Details

DPA server OS

Installing DPA on a server with a Windows Server 2012 R2 operating system is still supported in 2023.2, but support will be removed in an upcoming release.

Legal notices

Return to top

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

Related news

CVE-2023-23838: SolarWinds Trust Center Security Advisories | CVE-2023-23838

Directory traversal and file enumeration vulnerability which allowed users to enumerate to different folders of the server.

CVE-2022-46755: DSA-2022-329: Dell Wyse Management Suite Security Update for Multiple Vulnerabilities

Wyse Management Suite 3.8 and below contain an improper access control vulnerability. A authenticated malicious admin user can edit general client policy for which the user is not authorized.

CVE-2021-2369: Oracle Critical Patch Update Advisory - July 2021

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically i...

Security Update Guide Supports CVEs Assigned by Industry Partners

Hi Folks, This month we are introducing a new data element for each CVE in the Security Update Guide, called Assigning CNA. First let me back up a bit and give some information about the CVE program. The purpose of a CVE is to uniquely identify a cybersecurity vulnerability. The CVE program was started back in 1999 and is funded by the US federal government, currently out of the Cybersecurity and Infrastructure Security Agency (CISA).

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907