Solarwinds: Update closes partly critical gaps in Platform

Solarwinds has released the update to version 2025.1 for the Solarwinds Platform Self-Hosted. As it closes some critical security gaps, IT managers should apply the update quickly.

In the Solarwinds Platform release notes, the company lists general improvements and new functions, but also mentions the security vulnerabilities it closes at the end. In total, there are five vulnerabilities, three of which affect Solarwinds Platform directly and two of which affect third-party components.

Critical vulnerability in Solarwinds Platform

The supplied OpenSSL is responsible for the most serious vulnerabilities. A vulnerability allows data to be read beyond a buffer under certain, rather rare circumstances, allowing attackers to access sensitive data. The OpenSSL developers have therefore classified the vulnerability as low risk. However, Solarwinds apparently uses OpenSSL in the vulnerable way, so the vulnerability CVE-2024-5535 has been given a CVSS score of 9.1 by the developers and thus a risk rating of “critical”.

In addition, the updated OpenSSL version supplied corrects a security leak that attackers can abuse for a denial of service (CVE-2024-6119, CVSS 7.5, high). There is also a Reflected Cross-Site Scripting vulnerability in the Solarwinds platform software itself (CVE-2024-52612, CVSS 6.8, medium – but classified as “high” risk by Solarwinds). In addition, malicious actors can abuse server-side request forgery (CVE-2024-52606, CVSS 3.5, low) or obtain information through an error message – but not sensitive information, Solarwinds explains (CVE-2024-52611, CVSS 3.5, low).

The update to Solarwinds Platform 2024.4 from October 2024 also sealed some security vulnerabilities. Some of these were classified as critical risks.

(dmk)