SolarWinds takes security seriously, and in addition to performing exhaustive internal security testing, we do our best to respond swiftly to any reported issue. On the heels of the Heartbleed comes another new OpenSSL "man-in-the-middle" vulnerability called ChangeCipherSpec. In the spirit of transparency, the matrix below represents the results of our internal analysis of products affected.
Product | Status | Product Versions Affected | Disposition |
|---|
| LEM | OK | N/A | LEM uses OpenSSL as a server. As a server, OpenSSL is only vulnerable in versions 1.0.1 and 1.0.2-beta1. Regardless we are updating to patched 0.9.8 to rule out any misconceptions. |
| WHD | OK | N/A | |
| Alert Central | OK | N/A | |
| Patch Manager | OK | N/A | |
| DameWare | OK | N/A | |
| Virtualization Manager | OK | N/A | |
| N-central | OK | N/A | |
| FSM | OK | N/A | |
| STM | OK | N/A | |
| Serv-U | OK | N/A | |
| FTP Voyager | ISSUE | N/A | Vulnerable client. Will be updated to 0.9.8za in FB345434. |
| NCM | OK | N/A | Orion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library. Regardless, hotfix shipped and is available for download: http://downloads.solarwinds.com/solarwinds/Release/HotFix/OpenSSL-Security-HotFix.zip |
| Kiwi CatTools | OK | N/A | |
| Kiwi Syslog | OK | N/A | |
| EOC | OK | N/A | |
| WPM | OK | N/A | Orion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library. Regardless, hotfix shipped and is available for download: http://downloads.solarwinds.com/solarwinds/Release/HotFix/OpenSSL-Security-HotFix.zip |
| SAM | OK | N/A | Orion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library. Regardless, hotfix shipped and is available for download: http://downloads.solarwinds.com/solarwinds/Release/HotFix/OpenSSL-Security-HotFix.zip |
| NPM | OK | N/A | Orion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library. Regardless, hotfix shipped and is available for download: http://downloads.solarwinds.com/solarwinds/Release/HotFix/OpenSSL-Security-HotFix.zip |
| UDT | OK | N/A | Orion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library. Regardless, hotfix shipped and is available for download: http://downloads.solarwinds.com/solarwinds/Release/HotFix/OpenSSL-Security-HotFix.zip |
| NTM | OK | N/A | |
| NTA | OK | N/A | Orion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library. Regardless, hotfix shipped and is available for download: http://downloads.solarwinds.com/solarwinds/Release/HotFix/OpenSSL-Security-HotFix.zip |
| FoE | OK | N/A | |
| ipMonitor | OK | N/A | |
| IPAM | OK | N/A | |
| Mobile Admin | OK | N/A | MA clients do use OpenSSL libs for RDP client connection (OpenSSL v1.0.1e), but since this would only be used to connect to a Microsoft RDP server (which does not use OpenSSL), there is no vulnerable connection. The next MA client release will update to OpenSSL 1.0.1h anyway. FB345311 (iOS), FB345325 (Android) |
| VNQM | OK | N/A | |
| TFTP Server Free Tool | OK | N/A | |
| SFTP/SCP Server Free Tool | OK | 1.0.3.20 - 1.0.4.31 | SFTP/SCP Server 1.0.3.20-1.0.4.32 does contain OpenSSL 1.0.1e library, however only for internal encryption. No external SSL service is referenced, therefore not vulnerable. |
| Toolset | OK | 10.9.1 - 11.0.0 | SFTP/SCP Server in Toolset 10.9.1 - 11.0.0 does contain OpenSSL 1.0.1e library, however only for internal encryption. No external SSL service is referenced, therefore not vulnerable. |
| SSH Client | OK | N/A | |
| Clariion Monitor | OK | N/A | |
| All other Free Tools | OK | N/A | |
As always, please let us know if you have any questions or concerns, and we will address them straight away.
