SolarWinds this week announced patches for multiple high-severity vulnerabilities in Serv-U and the SolarWinds Platform, including a bug reported by a penetration tester working with NATO.
Rolling out as version 2024.2, the latest SolarWinds Platform iteration includes patches for three new security defects, as well as fixes for multiple bugs in third-party components.
The first issue, tracked as CVE-2024-28996, and reported by NATO Communications and Information Agency pentester Nils Putnins, is described as an SWQL injection flaw. A proprietary, read-only subset of SQL, SWQL allows users to query the SolarWinds database for network information.
SolarWinds also announced patches for two security defects impacting the web console of its platform, namely CVE-2024-28999, a race condition vulnerability, and CVE-2024-29004, a stored cross-site scripting (XSS) flaw that requires high privileges and user interaction for successful exploitation.
According to the vendor, the vulnerabilities impact SolarWinds Platform 2024.1 SR 1 and previous versions. Users are advised to update to version 2024.2 of the platform as soon as possible.
The SolarWinds Platform update also includes fixes for a medium-severity flaw in Angular and ten high- and medium-severity issues in OpenSSL, some of which were disclosed seven years ago. Most of these issues could be exploited to cause a denial-of-service (DoS) condition.
This week, SolarWinds also rolled out a hotfix for CVE-2024-28995, a high-severity directory transversal vulnerability in Serv-U that could allow attackers to read sensitive files on the host machine.
With a CVSS score of 8.6, the bug impacts Serv-U 15.4.2 hotfix 1 and previous versions, including Serv-U FTP Server, Serv-U Gateway, and Serv-U MFT Server. Serv-U 15.4.2 hotfix 2 resolves the flaw and is compatible with both Windows and Linux systems.
SolarWinds makes no mention of any of these vulnerabilities being exploited in the wild. Users and administrators are advised to apply the available patches as soon as possible.
Related: Industry Reactions to SEC Charging SolarWinds and Its CISO: Feedback Friday
Related: SolarWinds Patches High-Severity Flaws in Access Rights Manager
Related: Hundreds of Devices With Internet-Exposed Management Interface Found in US Agencies
Related: SolarWinds Platform Update Patches High-Severity Vulnerabilities
