SolarWinds has published a security advisory for Database Performance Analyzer 2022.1.7779. For the protection of your environment, SolarWinds strongly recommends all customers upgrade to the latest available version of Database Performance Analyzer (DPA 2022.1.7779). This update is now available in your.
Please see more information about this vulnerability and our investigation in our Trust Center.
Summary
On Tuesday, March 29, news of potential vulnerabilities in the Spring Framework was surfaced. The Spring Framework is a very popular framework used by Java developers to build modern applications and is owned by VMware.
Spring is providing regular updated via its support blog: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
We have not received any reports of these issues from SolarWinds customers but are actively investigating. The following SolarWinds product do utilize the Spring Framework, but have not yet been confirmed to be affected by this issue:
- Security Event Manager (SEM)
- Database Performance Analyzer (DPA)
- Web Help Desk (WHD)
We have confirmed all other SolarWinds products ARE NOT AFFECTED by this issue, including the Orion Platform and its modules.
While we have not seen or received reports of SolarWinds products affected by this issue, for the protection of their environments, SolarWinds strongly recommends all customers disconnect their public-facing (internet-facing) installations of these SolarWinds products (SEM, DPA and WHD) from the internet.
On March 31, we previously indicated Virtualization (VMAN) Poller (an internally facing component only) was being evaluated, due to its use of the Spring Framework. We have now confirmed VMAN is not affected by this issue.
Additionally, we recommend users of these products ensure they are referencing our best practices and recommendations as follows:
- Security Event Manager (SEM): Please review the Secure SEM section of SEM Administrator Guide
- Database Performance Analyzer (DPA): Please review the DPA Secure Configuration Guide Best Practices and Recommendations
SolarWinds is actively investigating these newly reported vulnerabilities and will provide regular updates as new information becomes available and is validated.Out of an abundance of caution, we are working on updates to these products to include the latest version of the Spring Framework the Spring team made available March 31.
The hotfixes for both Database Performance Analyzer (DPA) and Web Help Desk (WHD) are now available in your Customer Portal. The hotfix for the Security Event Manager (SEM) is currently anticipated to be available the week of April 10. We will notify customers when each of these updates are available.
Affected Products
- Security Event Manager (SEM)
- Database Performance Analyzer (DPA)
- Web Help Desk (WHD)
Fixed Software Release
Database Performance Analyzer 2022.1.7779 Release Notes
Web Help Desk 12.7.8 HF2 Release Notes