"SolarWinds Patches High-Severity Vulnerability Reported by NATO Pentester"

SolarWinds recently announced patches for multiple high-severity vulnerabilities in Serv-U and the SolarWinds Platform, including a bug reported by a penetration tester working with NATO.  Version 2024.2, the latest SolarWinds Platform iteration, includes patches for three new security defects and fixes for multiple bugs in third-party components.  The first issue, tracked as CVE-2024-28996 and reported by a NATO Communications and Information Agency pentester, is described as an SWQL injection flaw.  A proprietary, read-only subset of SQL, SWQL allows users to query the SolarWinds database for network information.  The security update also patches two security defects impacting the web console of its platform, namely CVE-2024-28999, a race condition vulnerability, and CVE-2024-29004, a stored cross-site scripting (XSS) flaw that requires high privileges and user interaction for successful exploitation.  SolarWinds states the vulnerabilities impact SolarWinds Platform 2024.1 SR 1 and previous versions.  Users are advised to update to version 2024.2 of the platform as soon as possible.  The SolarWinds Platform update also includes fixes for a medium-severity flaw in Angular and ten high and medium-severity issues in OpenSSL, some of which were disclosed seven years ago.  Most of these issues could be exploited to cause a denial-of-service (DoS) condition.  SolarWinds does not mention if these vulnerabilities are being exploited in the wild.  Users and administrators are advised to apply the available patches as soon as possible.

SecurityWeek reports: "SolarWinds Patches High-Severity Vulnerability Reported by NATO Pentester"