SolarWinds takes security seriously, and in addition to performing exhaustive internal security testing, we do our best to respond swiftly to any reported issue.  On the heels of the Heartbleed comes another new OpenSSL "man-in-the-middle" vulnerability called ChangeCipherSpec.  In the spirit of transparency, the matrix below represents the results of our internal analysis of products affected.

 

Product

Status

Product Versions Affected

Disposition

LEMOKN/ALEM uses OpenSSL as a server. As a server, OpenSSL is only vulnerable in versions 1.0.1 and 1.0.2-beta1. Regardless we are updating to patched 0.9.8 to rule out any misconceptions.
WHDOKN/A
Alert CentralOKN/A
Patch ManagerOKN/A
DameWareOKN/A
Virtualization ManagerOKN/A
N-centralOKN/A
FSMOKN/A
STMOKN/A
Serv-UOKN/A
FTP VoyagerISSUEN/AVulnerable client. Will be updated to 0.9.8za in FB345434.
NCMOK

N/A

Orion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.  Regardless, hotfix shipped and is available for download: http://downloads.solarwinds.com/solarwinds/Release/HotFix/OpenSSL-Security-HotFix.zip

Kiwi CatToolsOKN/A
Kiwi SyslogOKN/A
EOCOKN/A
WPMOKN/AOrion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.  Regardless, hotfix shipped and is available for download: http://downloads.solarwinds.com/solarwinds/Release/HotFix/OpenSSL-Security-HotFix.zip
SAMOKN/AOrion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.  Regardless, hotfix shipped and is available for download: http://downloads.solarwinds.com/solarwinds/Release/HotFix/OpenSSL-Security-HotFix.zip
NPMOKN/AOrion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.  Regardless, hotfix shipped and is available for download: http://downloads.solarwinds.com/solarwinds/Release/HotFix/OpenSSL-Security-HotFix.zip
UDTOKN/AOrion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.  Regardless, hotfix shipped and is available for download: http://downloads.solarwinds.com/solarwinds/Release/HotFix/OpenSSL-Security-HotFix.zip
NTMOK

N/A

NTAOKN/AOrion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.  Regardless, hotfix shipped and is available for download: http://downloads.solarwinds.com/solarwinds/Release/HotFix/OpenSSL-Security-HotFix.zip
FoEOKN/A
ipMonitorOKN/A
IPAMOKN/A
Mobile AdminOKN/AMA clients do use OpenSSL libs for RDP client connection (OpenSSL v1.0.1e), but since this would only be used to connect to a Microsoft RDP server (which does not use OpenSSL), there is no vulnerable connection. The next MA client release will update to OpenSSL 1.0.1h anyway. FB345311 (iOS), FB345325 (Android)
VNQMOKN/A
TFTP Server Free ToolOKN/A
SFTP/SCP Server Free ToolOK1.0.3.20 - 1.0.4.31SFTP/SCP Server 1.0.3.20-1.0.4.32 does contain OpenSSL 1.0.1e library, however only for internal encryption. No external SSL service is referenced, therefore not vulnerable.
ToolsetOK10.9.1 - 11.0.0SFTP/SCP Server in Toolset 10.9.1 - 11.0.0 does contain OpenSSL 1.0.1e library, however only for internal encryption. No external SSL service is referenced, therefore not vulnerable.
SSH ClientOKN/A
Clariion MonitorOKN/A
All other Free ToolsOKN/A

 

As always, please let us know if you have any questions or concerns, and we will address them straight away.