Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-35237: KSS 9.8 Release Notes

A missing HTTP header (X-Frame-Options) in Kiwi Syslog Server has left customers vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server. This is an attack on both the user and the server.

CVE
#sql#vulnerability#web#mac#windows#microsoft#git#auth#asp.net#ssl

Kiwi Syslog Server 9.8 Release Notes

Release date: October 19, 2021

These release notes describe the new features, improvements, and fixed issues in Kiwi Syslog Server 9.8. They also provide information about upgrades and describe workarounds for known issues.

If you are looking for previous release notes for Kiwi Syslog Server, see Previous Version documentation.

New features and improvements

Kiwi Syslog Server 9.8 offers new features and improvements compared to previous versions of Kiwi Syslog Server

Microsoft SQL Server 2019 support

Kiwi Syslog Server now supports and successfully writes messages to the Microsoft SQL Server 2019 database.

New Internet Information Server (IIS) webserver for Kiwi Web Access

The UltiDevWebServer has been deprecated and Kiwi Syslog Server now leverages Internet Information Server (IIS) to provide modern and secure web service.

Support for SNMPv3 credentials

Kiwi Syslog Server now supports functionality for adding and removing SNMPv3 user credentials, including values for username, authentication password, private password, algorithms, and security level. See fixed issues below for more details.

Licensing framework upgrade

Kiwi Syslog Server 9.8 offers the latest SolarWinds licensing framework to be using in conjunction with SolarWinds logging.

Updated jQuery library

The jQuery library used in Kiwi Syslog Server has been updated to version 3.6.0.

Removal of .NET versions 2.0 and 3.5

Kiwi Syslog Server will no longer require and operate on the .NET 2.0 and 3.5 frameworks to improve security of customer sessions and cookies. See fixed issues below for more details.

New customer installation

Return to top

For information about installing Kiwi Syslog Server, see the Kiwi Syslog Server Installation Guide.

After installation, see the Kiwi Syslog Server Getting Started Guide for implementation and troubleshooting guidelines. The guide walks you through common configuration tasks to help you get up and running quickly.

How to upgrade

If you are upgrading from an earlier version, use the Kiwi Syslog Server Upgrade Guide to plan and implement an upgrade to Kiwi Syslog Server9.8.

Fixed issues in KSS 9.8

Return to top

KSS 9.8 fixes the following issues.

Case Number

Description

N/A

The KiwiSyslogLicensor.exe application is now digitally signed.

00179952, 00815565, 00490222

SNMPv3 credentials are now exported appropriately without crashing the service.

00202438, 00296403, 00376967, 00864855, 00864855, 00254325, 00389680, 00220030

UTF-8 symbols now display correctly in action and text fields.

00744921, 00759402, 00820497

The HTTP security header is now detectable.

00799858, 00871069, 00798372

The Windows unquoted path vulnerability has been resolved. See CVEs below.

N/A

The License Manager version 2.0.0.732 now loads correctly.

00589979

The session identifier is now updated and resolves the potential vulnerability. See CVEs below.

00820497, 00669111

The HTTP TRACK and TRACE vulnerabilities have been resolved. See CVEs below.

00625071

Software versions are no longer viewable in the HTTP header.

00775510, 00788703, 00792253, 00841628, 00767612, 00841066, 00844947, 00896711

Users are now able to save filters from the Events tab.

00746439, 00740074, 00747488, 00747419, 00750586, 00752088, 00753175, 00752132, 00755082, 00746654, 00747625, 00749786, 00746328, 00753257, 00744039,

Users with Kiwi CatTools 3.11.8 are now able to continue the Kiwi Syslog Server setup process.

00640200

.NET CLR no longer presents a potential FIPS vulnerability. See CVEs below.

00711054, 00737175, 00773411, 00802805, 00641765, 00641360, 00710850, 00748954, 00764883, 00818115, 00874516, 00881358, 00789612

Users no longer receive the HttpUnhandledException error while attempting to access the Events tab in the Web Access portal.

00688130, 00779774, 00861151, 00683475, 00709991, 00753162, 00704103, 00837374, 00903887

Users are now able to import filters appropriately in the Kiwi Web Access portal.

00667753

The script to pass custom variables now works as expected.

00743108, 00762258, 00865670

Users no longer lose Priority information while spoofing with Npcap.

00744054

Npcap spoofing no longer fails if “hostname” is used as a destination.

00773496, 00809603

Users are now able to reset passwords in the Admin tab in the Web Access portal.

00780022

Russian language files are no longer detected in the installation package.

00863789

In the Forward to another host action, the options for New Facility and New Level are now correctly named.

CVEs

Return to top

SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

CVE-ID

Vulnerability Title

Description

Severity

Credit

CVE-2021-35233

HTTP TRACK & TRACK Methods Enabled Vulnerability

The HTTP TRACK & TRACE methods were enabled in Kiwi Syslog Server 9.7.1 and earlier. These methods are intended for diagnostic purposes only. If enabled, the web server will respond to requests that use these methods by returning exact HTTP request that was received in the response to the client. This may lead to the disclosure of sensitive information such as internal authentication headers appended by reverse proxies.

Medium

N/A

CVE-2021-35235

ASP.NET Debug Feature Enabled

The ASP.NET debug feature is enabled by default in Kiwi Syslog Server 9.7.1. ASP.NET allows remote debugging of web applications, if configured to do so. Debug mode causes ASP.NET to compile applications with extra information. The information enables a debugger to closely monitor and control the execution of an application.

If an attacker could successfully start a remote debugging session, this is likely to disclose sensitive information about the web application and supporting infrastructure that may be valuable in targeting SWI with malicious intent.

Medium

N/A

CVE-2021-35236

Missing Secure Flag From SSL Cookie

The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.1. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP, there is a potential for the cookie can be sent in clear text.

Low

N/A

CVE-2021-35237

Clickjacking Vulnerability

A missing HTTP header (X-Frame-Options) in Kiwi Syslog Server has left customers vulnerable to click jacking.

Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server. This is an attack on both the user and the server.

Medium

N/A

CVE-2021-35231

Unquoted Path Vulnerability (SMB Login)

As a result of an unquoted service path vulnerability present in the Kiwi Syslog Server Installation Wizard, a local attacker could gain escalated privileges by inserting an executable into the path of the affected service or uninstall entry.

Example vulnerable path:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Kiwi Syslog Server\Parameters\Application

Medium

David Rickard

Danijel Grah

End of life

Return to top

See the End of Life Policy for information about SolarWinds product lifecycle phases. For supported versions and EoL announcements for all SolarWinds products, see Currently supported software versions.

Legal notices

Return to top

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907