SolarWinds takes security seriously, and in addition to performing exhaustive internal security testing, we do our best to respond swiftly to any reported issue. With the recent heartburn around Heartbleed, the development teams at SolarWinds have been working feverishly to determine if any of our products are affected. For those out there that may have missed the news, a few days ago a high-severity vulnerability in many versions of OpenSSL was made public- and dubbed "Heartbleed." If you have a system serving up SSL content, you may well be impacted. Since the details have been covered ad-nauseam by a variety of sources, we won't go into the nitty-gritty, but good primary source material may be found here: http://heartbleed.com/

While we do ship an OpenSSL library in our core platform that would be affected, it is not exposed as a service and is used in a limited outbound capacity. Because of this reason and our failure to locate any vulnerabilities during the course of our research we believe our products are not vulnerable to Heartbleed. Despite having zero known exposure to the vulnerability, we have released an OpenSSL library fix for Core to further put everyone's mind at ease: http://downloads.solarwinds.com/solarwinds/Release/HotFix/OpenSSL-Security-HotFix.zip

[Revised 6/12/14 10:45am CST to include 1.0.1h]

As everyone here hopefully is aware, we take community transparency quite seriously. In that spirit, please find below matrix:

 

ProductVersionStatusDisposition
Alert CentralOK
DameWareOK
DPA (formerly Confio Ignite)OK
EOCOK
FSMOK
FTP VoyagerOK
IPAM>Core 2012.2OKOrion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.
ipMonitorOK
Kiwi CatToolsOK
Kiwi SyslogOK
LEMOK
Mobile Admin ServerOK
n-CentralOK
NCM>Core 2012.2OKOrion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.
NPM>Core 2012.2OKOrion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.
NTA>Core 2012.2OKOrion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.
NTMOK
Patch ManagerOK
SAM>Core 2012.2OKOrion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.
Serv-UOK
SFTP/SCP Server Free tool1.0.3.20 - 1.0.4.31OKSFTP/SCP Server 1.0.3.20 - 1.0.4.31 does contain OpenSSL 1.0.1e library, however only for internal encryption. No external SSL service is referenced, therefore not vulnerable.
Free SSH ClientOK
Storage ManagerOK
TFTP Server Free toolOK
Engineer's Toolset10.9.1 - 11.0.0OKSFTP/SCP Server in Toolset 10.9.1 - 11.0.0 does contain OpenSSL 1.0.1e library, however only for internal encryption. No external SSL service is referenced, therefore not vulnerable.
UDT>Core 2012.2OKOrion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.
Virtualization ManagerOK
VNQM>Core 2012.2OKOrion Core does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.
WebHelpDeskOK
WPM>Core 2012.2OKOrion Core does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.

 

As always, please let us know if you have any questions or concerns, and we will address them straight away.