SolarWinds rectified several issues in Serv-U and SolarWinds Platform
June 07, 2024
SolarWinds dealt with various vulnerabilities in Serv-U and the SolarWinds Platform, which included a defect identified by a pentester collaborating with NATO.
SolarWinds disclosed security fixes to tackle several high-severity vulnerabilities in Serv-U and the SolarWinds Platform. The vulnerabilities impact Platform 2024.1 SR 1 and earlier versions.
One of the vulnerabilities handled by the organization, referred to as CVE-2024-28996, was reported by a security tester collaborating with NATO.
The flaw CVE-2024-28996 (CVSS score 7.5) was unearthed by NATO Communications and Information Agency’s security tester Nils Putnins. The flaw is a read-only subset of SQL, SWQL, which permits users to search the SolarWinds database for network data. As stated in the advisory, the attack’s complexity is considerable.
The organization also tackled several vulnerabilities in external entities. The defects, known as CVE-2024-28999 (CVSS score 6.4) and CVE-2024-29004 (CVSS score 7.1), encompass a race condition problem and a stored XSS vulnerability in the web console, respectively.
The organization resolved various issues in external components including Angular, the public API function BIO_new_NDEF, the OpenSSL RSA Key creation mechanism, and the x86_64 Montgomery squaring procedure in OpenSSL.
The organization launched version 2024.2 that addressed the aforementioned vulnerabilities.
It remains uncertain whether any of these vulnerabilities have been exploited in real-world attacks.
Connect with me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SolarWinds)
About Author
