SolarWinds announced security patches to address multiple high-severity vulnerabilities in Serv-U and the SolarWinds Platform. The vulnerabilities affect Platform 2024.1 SR 1 and previous versions.
One of the vulnerabilities addressed by the company, tracked as CVE-2024-28996, was reported by a penetration tester working with NATO.
The flaw CVE-2024-28996 (CVSS score 7.5) was discovered by NATO Communications and Information Agency pentester Nils Putnins. The flaw is a read-only subset of SQL, SWQL, which allows users to query the SolarWinds database for network information. According to the advisory, the attack complexity is high.
The company also addressed multiple vulnerabilities in third-party companies. The flaws, tracked as CVE-2024-28999 (CVSS score 6.4) and CVE-2024-29004 (CVSS score 7.1), are a race condition issue and a stored XSS bug in the web console, respectively.
The company fixed multiple bugs in third-party components, such as Angular, the public API function BIO_new_NDEF, the OpenSSL RSA Key generation algorithm, and the x86_64 Montgomery squaring procedure in OpenSSL.
The company released version 2024.2 that addressed the above vulnerabilities.
It is unclear if any of these flaws have been exploited in attacks in the wild.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SolarWinds)