Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-23839: SolarWinds Platform 2023.2 Release Notes

The SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users to access Orion.WebCommunityStrings SWIS schema object and obtain sensitive information.

CVE
#sql#vulnerability#web#mac#windows#auth#ssh#zero_day

Release date: April 18, 2023

These release notes describe the new features, improvements, and fixed issues in SolarWinds Platform 2023.2. They also provide information about upgrades and describe workarounds for known issues.

Learn more

  • For information on latest hotfixes, see SolarWinds Platform Hotfixes.
  • For release notes for previous SolarWinds Platform versions, see Previous Version documentation.
  • For information about requirements, see SolarWinds Platform 2023.2 System Requirements.
  • For information about working with the SolarWinds Platform, see the SolarWinds Platform Administrator Guide.

New features and improvements in SolarWinds Platform

Return to top

SolarWinds Platform 2023.2 offers the following improvements compared to previous releases of SolarWinds Platform.

  • Security improvements for external alert actions. Only users with server admin rights are able to create new external actions. See Approve alert actions executing a script.

  • SMTP authentication improvements

  • SSH security improvements

Other improvements

  • SolarWinds Platform Agent now supports RHEL 9.0.

  • Credential API now supports SAM.

New customer installation

Return to top

For information about installing SolarWinds Platform, see SolarWinds Installer.

How to upgrade

Use the SolarWinds Installer to upgrade your entire SolarWinds Platform deployment (all SolarWinds Platform products and any scalability engines) to the current versions.

You must be on Orion Platform 2020.2.1 or later to upgrade to SolarWinds Platform 2023.2. If you are on Orion Platform 2020.2 or earlier, first upgrade to 2020.2.6 and then upgrade to 2023.2.

Before you upgrade from 2020.2.x

  • Before upgrading from Orion Platform 2020.2.6 and earlier to SolarWinds Platform 2022.3 or later, make sure the database user you use to connect to your SQL Server has the db create privilege. Without this privilege, the upgrade will not complete.

  • The legacy syslog and traps functionality has been retired and replaced with new functionality called SolarWinds Log Viewer, which can be upgraded to Log Analyzer for additional capabilities. Current rules and history will automatically be migrated to the new logging functionality (SolarWinds Log Viewer or Log Analyzer). The functionality of SolarWinds Log Viewer and Log Analyzer has been improved to more closely match legacy functionality. See LA 2022.3 release notes for details.

    If you built syslog and trap alerts using custom SQL queries, they will not function after upgrading to 2022.3 or later. SolarWinds recommends you rewrite the alerts using SWQL (Orion.OLM entities) or using the alerting functionality built into Log Viewer/Log Analyzer.

  • Some upgrade situations from the Orion Platform to the SolarWinds Platform are not supported and the installer will stop the upgrade automatically.

    • If you have a SQL Server older than 2016.
    • If you have an Orion Platform product version 2020.2 or earlier.

Fixed issues

Return to top

SolarWinds Platform 2023.2 fixes the following issues.

Case Number

Description

1279130, 1281943,1287850,1290108, 1291149, 1301934, 1302724, 1306120, 1309026

The issues with saving the configuration archive on a network share were addressed.

1286152, 1288976, 1289910, 1290594, 1291107, 1297401, 1307087

The issue where date and time in custom reports did not match the format specified in Time Period was addressed.

1257590, 1280347

The issue where database maintenance was failing after the upgrade was addressed.

1121180

The issues with Azure Cloud Details views were addressed.

1232029

Removed SolarWinds Platform Agent plugins are marked for uninstallation after the upgrade.

1289446

The issue where SolarWinds Administration Service read and wrote the package type to an incorrect registry path was addressed.

1272370, 1273749

The issue where importing alerts with SQL macro variables was blocked for Admin users was addressed.

842639

The issue where time zones of SQL server and SolarWinds Platform polling engines showed a warning even when the zones were the same was addressed.

1052957, 1240424, 1245960, 1246538, 1256606, 1257671, 1266763, 1276328, 1267382, 1279002, 1280926, 1281291, 1283928, 1288216, 1290612, 1291755, 1295777, 1296218, 1297821, 1297859

SolarWinds Information Service performance issues when users without admin rights use PerfStack were addressed.

1270128

The issue where the Configuration Wizard failed when configuring the website because of an applicationHost.config error was addressed.

894237

The issue where Global search could not be disabled on some pages was addressed.

1278031

The issue where users could not set up new alerts using DateTime was addressed.

1229785, 1244480, 1274324

The issue where manually created connections on Maps only showed when the Auto-Generated connection box was selected was addressed.

1264223, 1279159

The issue where scalability engines could be upgraded to the version installed on the main polling engine when upgrades for the main polling engine were available was addressed.

N/A

The issue where the name of sender was not specified for some out-of-the-box alerts was addressed.

1125893, 1220248, 1239230, 1244512, 1249564, 1251466, 1254246, 1258643, 1258669, 1260390, 1261995, 1262474, 1264367, 1265533

The partition management during the Database Maintenance was optimized.

The issue where installation/upgrade failed because of a locked file was addressed.

1241480

The issue where the send trap alert action stops working after the upgrade from 2020.2.6 was addressed.

1236663, 1236783, 1241870, 1242442, 1244793, 1249353, 1251317, 1273624

The issue when attempting to add accounts was addressed.

1207061

The installation error while running the centralized upgrade was addressed.

1249722

The issues with the “less than X objects meet the condition” condition in alerts were addressed.

1245612, 1248898

The issues with the Configuration Wizard launching automatically was addressed.

1244008

The issue where custom charts changed behavior was addressed.

1229115

The issue where AmsProxy logs stopped logging on log level change was addressed.

1237514, 1243831, 1245680, 1274269, 1289216

The issue where the node last boot was displayed using UTC was addressed. Last boot is displayed using the local time.

1154578

The issue with loading Subcategory when creating a ServiceNow incident was addressed.

826160, 864527, 873077

The issue where no error message was displayed when the upgrade failed was addressed.

1239689, 1279354

The issue where the Permission Checker fails on upgrade from 2020.2.6 for additional polling engines was addressed.

1228441

The issue where the category was not parsed correctly in All Nodes widgets was addressed.

1234160, 1254686

The issue where proportional widgets do not parse statuses was addressed.

1205283

The issue where Windows Agents generated high CPU usage was addressed.

1228673

The issue where the installation fails if there is another suspended MSI installation in the system was addressed.

1214950

The issue where latency between polling engines was incorrectly indicated on the main server was addressed.

1216266

The issue with time zones of SQL server and the main polling engine was addressed.

1187919, 1209102

The issue with Fortinet Fortigate 101E incorrectly polling IP addresses was addressed.

1202271, 1246753, 1256631, 1259934, 1263843, 1282054, 1289795

The issue where scheduled unmanaging issues caused false positive alerts was addressed.

1217121, 1291663

The issue where upgrade from 2020.2.6 fails in the Circuit wizard when the bound HTTPS certificate is not available on the system anymore was addressed.

1194008

The issue where administrators could update the database with queries in the Add/Edit Report wizard was addressed.

1186572, 1288230

The issue where users could not save changed rows in Manage Entities was addressed.

1154256

The issue where users could not change the SNMPv3 credentials set for a node was addressed.

930171, 990401, 1048906, 1054670, 1095761, 1102507, 1208626

The issues with obsolete records in Cortex documents were addressed.

1163369

The issues with assigning a new dashboard as the default summary view were addressed.

1150632

The issue where the testing credentials for the execute external program alert action triggered the action instead of only validating the credentials was addressed.

1106632

The issues with using SQL/SWQL variables in the SMS alert action were addressed.

1128730

The issue where the Active Diagnostics test “Check Engines and OrionServers integrity” was case-sensitive was addressed.

1198603, 1204150, 1226617, 1228488, 1269783, 1278674, 1279332

The issue where the PerfStack real-time polling ignored account permissions was addressed.

1088944

The issue where volume charts behave differently for administrators and non-administrators was addressed.

318702, 874297, 932513, 1076268, 1200393

The issue where audit events for alert suppression showed time in UTC was addressed.

773793, 916997, 1092088

The issue where High Availability applications and components are not licensed was addressed.

631312, 807280, 817116, 1048102, 1051103, 1133802

The issues with latest baseline graphs were addressed.

CVEs

SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

CVE-ID

Vulnerability Title

Description

Severity

Credit

CVE-2022-47509

SolarWinds Platform Incorrect Input Neutralization Vulnerability

The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.

4.3 Medium

Juampa Rodriguez (@UnD3sc0n0c1d0)

CVE-2022-36963

SolarWinds Platform Command Injection Vulnerability

The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands.

8.8 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2022-47505

SolarWinds Platform Local Privilege Escalation Vulnerability

The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability. This vulnerability allows a local adversary with a valid system user account to escalate local privileges.

7.8 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2023-23839

SolarWinds Platform Exposure of Sensitive Information Vulnerability

The SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users to access Orion.WebCommunityStrings SWIS schema object and obtain sensitive information.

6.8 Medium

Known issues

Return to top

1310500

Configuration Wizard stops progressing

Issue: When you upgrade to 2023.2 RC1, the Configuration Wizard stops progressing, usually at 0-5% complete.

Workaround:

  1. Cancel the Configuration Wizard, for example by ending it in the Task Manager.
  2. Find INSTALL_PATH]\SWNetPerfMon.DB, for example in C:\Program Files (x86)\SolarWinds\Orion\SWNetPerfMon.DB, and open it for editing.
  3. Remove all empty lines from the bottom of the file and save your changes.
  4. Run the Configuration Wizard.

End of life

Return to top

For modules based on Orion Platform 2020.2.6 and earlier, SolarWinds is announcing future end-of-life plans for your convenience. As always, SolarWinds recommends you upgrade to the latest version of your products at your earliest convenience.

Version

EOL Announcements

EOE Effective Dates

EOL Effective Dates

2020.2.6

April 18, 2023: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.6 should begin transitioning to the latest version of SolarWinds Platform.

May 18, 2023: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.6 will no longer be actively supported by SolarWinds.

May 18, 2024: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.6

2020.2.5

January 18, 2023: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.5 should begin transitioning to the latest version of SolarWinds Platform.

February 17, 2023: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.5 will no longer be actively supported by SolarWinds.

February 17, 2024: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.5.

2020.2.4

October 19, 2022: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.4 should begin transitioning to the latest version of SolarWinds Platform.

November 18, 2022: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.4 will no longer be actively supported by SolarWinds.

November 18, 2023: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.4.

2020.2.1

October 19, 2022: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.1 should begin transitioning to the latest version of SolarWinds Platform.

November 18, 2022: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.1 will no longer be actively supported by SolarWinds.

November 18, 2023: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.1.

2020.2

October 19, 2022: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2 should begin transitioning to the latest version of SolarWinds Platform.

November 18, 2022: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2 will no longer be actively supported by SolarWinds.

November 18, 2023: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.

See the End of Life Policy for information about SolarWinds product lifecycle phases. For supported versions and EoL announcements for all SolarWinds products, see Currently supported software versions.

End of support

Return to top

This version of SolarWinds Platform no longer supports the following platforms and features.

Type

Details

Browser support

All versions of Internet Explorer are no longer supported.

Deprecation notices

Return to top

This version of SolarWinds Platform deprecates the following platforms and features.

Deprecated platforms and features are still supported in the current release. However, they will be unsupported in a future release. Plan on upgrading deprecated platforms, and avoid using deprecated features.

Type

Details

Network Atlas

Network Atlas is deprecated as of Orion Platform 2020.2. It is still available and supported in the current release, but will be removed in a future release. Deprecation is an indication that you should avoid expanded use of this feature and formulate a plan to discontinue using the feature. SolarWinds recommends that you start using SolarWinds Platform Maps in the SolarWinds Platform Web Console to display maps of physical and logical relationships between entities monitored by the SolarWinds Platform products you have installed.

Port 17778

SWIS REST Endpoint on port 17778 is deprecated as of 2023.1 and will be replaced with port 17774 in a future release. SolarWinds recommends that you start migrating SWIS REST Endpoint to port 17774.

Legal notices

Return to top

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

Related news

Apple, Google, and Microsoft Just Fixed Zero-Day Security Flaws

Firefox gets a needed tune-up, SolarWinds squashes two high-severity bugs, Oracle patches 433 vulnerabilities, and more updates you should make now.

CVE-2022-47509: SolarWinds Trust Center Security Advisories | CVE-2022-47509

The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.

CVE-2022-36963: SolarWinds Trust Center Security Advisories | CVE-2022-36963

The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands.

CVE-2022-47505: SolarWinds Trust Center Security Advisories | CVE-2022-47505

The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability. This vulnerability allows a local adversary with a valid system user account to escalate local privileges.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907