Update to the latest version to avoid becoming another victim of cyber bandits.
SolarWinds, an American company specializing in the development of software for managing IT infrastructure, announced the release of security updates aimed at eliminating several critical vulnerabilities in its Serv-U products, as well as the SolarWinds platform. These vulnerabilities affect version 2024.1 SR 1 and previous versions.
One of the vulnerabilities, designated CVE-2024-28996, was reported by Nils Putnins, a penetration testing specialist working for the NATO Communications and Information Agency. The vulnerability was evaluated by CVSS 7.5 and consists of a read-only subset of SQL, SWQL, which allows users to query network information in the SolarWinds database
According to the published advisory document, the complexity of the attack is estimated as "high", which is somewhat encouraging, limiting the use of the vulnerability only by highly qualified hackers.
In addition to CVE-2024-28996, SolarWinds specialists also fixed several other vulnerabilities in their platform. For example, CVE-2024-28999 (CVSS 6.4) is a Race Condition issue, and CVE-2024-29004 (CVSS 7.1) is an XSS vulnerability in the web console.
The company also fixed a number of bugs in third-party components, including Angular (CVE-2021-4321), the public API function "BIO_new_NDEF" (CVE-2023-0215), the RSA key generation algorithm in OpenSSL (CVE-2018-0737), the Montgomery squaring procedure for x86_64 in OpenSSL (CVE-2017-3736) and many other vulnerabilities.
At the moment, it is not known whether all these vulnerabilities were used in real attacks, but in order not to learn this the hard way, it is recommended to upgrade to SolarWinds 2024.2 as soon as possible, which fixes all the above vulnerabilities.
SolarWinds, an American company specializing in the development of software for managing IT infrastructure, announced the release of security updates aimed at eliminating several critical vulnerabilities in its Serv-U products, as well as the SolarWinds platform. These vulnerabilities affect version 2024.1 SR 1 and previous versions.
One of the vulnerabilities, designated CVE-2024-28996, was reported by Nils Putnins, a penetration testing specialist working for the NATO Communications and Information Agency. The vulnerability was evaluated by CVSS 7.5 and consists of a read-only subset of SQL, SWQL, which allows users to query network information in the SolarWinds database
According to the published advisory document, the complexity of the attack is estimated as "high", which is somewhat encouraging, limiting the use of the vulnerability only by highly qualified hackers.
In addition to CVE-2024-28996, SolarWinds specialists also fixed several other vulnerabilities in their platform. For example, CVE-2024-28999 (CVSS 6.4) is a Race Condition issue, and CVE-2024-29004 (CVSS 7.1) is an XSS vulnerability in the web console.
The company also fixed a number of bugs in third-party components, including Angular (CVE-2021-4321), the public API function "BIO_new_NDEF" (CVE-2023-0215), the RSA key generation algorithm in OpenSSL (CVE-2018-0737), the Montgomery squaring procedure for x86_64 in OpenSSL (CVE-2017-3736) and many other vulnerabilities.
At the moment, it is not known whether all these vulnerabilities were used in real attacks, but in order not to learn this the hard way, it is recommended to upgrade to SolarWinds 2024.2 as soon as possible, which fixes all the above vulnerabilities.
