The American company SolarWinds, specializing in IT infrastructure management software, has announced safety updates to address critical vulnerabilities in its SERV-U products and the SolarWinds platform. These vulnerabilities impact version 2024.1 SR 1 and earlier versions.
One of the vulnerabilities, designated CVE-2024-28996, was reported by Nils Potnins, a penetration testing specialist at the NATO Communication and Information Agency. This vulnerability, with a CVSS score of 7.5, allows unauthorized read access to SQL, SWQL data within the SOLARWINDS database.
As outlined in the advisory document, the attack complexity for CVE-2024-28996 is considered “High”, limiting exploitation to highly skilled hackers.
In addition to CVE-2024-28996, SolarWinds has addressed other vulnerabilities in its platform. These include CVE-2024-28999 (CVSS 6.4) involving a Race Condition, and CVE-2024-29004 (CVSS 7.1) related to XSS vulnerabilities in web consoles.
The company has also fixed various errors in third-party components such as angular (CVE-2021-4321), public API function “Bio_new_ndef” (CVE-2023-0215), RSA keys generation in Opensl (CVE-2018-0737), Montgomery construction procedure for X86_64 in Opensl (CVE-2017-3736), among others.
While it is unknown if these vulnerabilities have been exploited in real attacks, users are strongly advised to update to SolarWinds 2024.2 version promptly to patch these vulnerabilities and enhance security.