SolarWinds has responded swiftly to critical security vulnerabilities affecting its Serv-U and SolarWinds Platform software with the release of version 2024.2. This comprehensive update comes in the wake of multiple high-severity issues, notably including an SWQL injection flaw that was discovered and reported by NATO pentester Nils Putnins. This vulnerability allows unauthorized access to SolarWinds databases, posing significant risks to network security and sensitive data integrity.
In addition to addressing the SWQL injection vulnerability, SolarWinds has also remediated CVE-2024-28999, a race condition vulnerability, and CVE-2024-29004, a stored cross-site scripting (XSS) flaw impacting the SolarWinds Platform’s web console. These vulnerabilities, which require specific user privileges to exploit, underscore the critical importance of organizations promptly updating their systems to safeguard against potential security breaches and ensure the protection of sensitive information.
The scope of the version 2024.2 update extends beyond immediate security fixes, encompassing medium-severity vulnerabilities identified within Angular and addressing longstanding issues within OpenSSL, some of which have been known for up to seven years. These patches are crucial for mitigating the risk of denial-of-service (DoS) attacks and enhancing the overall resilience of SolarWinds environments against evolving cyber threats.
Furthermore, SolarWinds has rolled out a vital hotfix specifically for CVE-2024-28995, a high-severity directory traversal flaw affecting various Serv-U products. With a CVSS score of 8.6, this vulnerability could potentially enable malicious actors to access sensitive files on affected systems. Organizations utilizing Serv-U solutions are strongly advised to implement the latest patches and hotfixes without delay, ensuring comprehensive protection against these vulnerabilities and maintaining the security posture of their IT infrastructure.
Reference:
