Is anyone aware of a response from Solarwinds for NIST CVE-2019-8197 published on 02/18/2019?
NVD - CVE-2019-8917
Very curious about this also. My security team is pinging me about it and we can't upgrade to 12.4 until we get the new server purchased & everything migrated, which will be around June/July, since 12.4 requires Server 2016 SP1. We weren't expecting to need to move to 2016 so early.
That's where we are with it as well. I would just like to hear a response that 12.4 is the resolution or that they will hotfix 12.3 and/or 12.2
I had to contact Solarwinds support for something unrelated and asked them about this.
"s for the vulnerability, since you cannot upgrade to 12.4 to resolve the vulnerability, you can limit port 17777 to communication with other related Orion NPM servers. Port 17777 is required for all API users, Additional Polling Engines, Additional Web Servers, and Enterprise Operations Console. Users do not need access to port 17777 for normal use of the web console outside of direct API access."
So it sounds like the fix is to block the port. .
So, I finally received a canned response to my support case. Their answer, of course, is to upgrade. They aren't interested in supporting their exisitng installed customer base who may not have the budget to upgrade but also can't proceed with such a glaring vulnerability. We have been fairly happy with the platform up until their response to this incident. Using a vulnerability to drive a major version change with such steep back-end requirements (which, I have no doubt, also translates to $$ for some percentage of installations that are outside their support contract) is just bad business practice. There are a number of other players in this segment and I think we will start entertaining some changes. At least they gave us a band-aid. Thanks for sharing that bit of info about where the vulnerability lives.
Author: Support Team - Technical Support Address [technicalsupport@solarwinds.com]
Hello
Thank you for contacting SolarWinds Technical Support.
Please be advised that this vulnerability claim is already been addressed in NPM 12.4. Regrettably, there is not workaround for NPM 12.3 and older versions.
I strongly suggest to upgrade to the latest version. You may use the links below as reference:
https://support.solarwinds.com/Success_Center/Network_Performance_Monitor_(NPM)/NPM_Documentation/NPM_12.4_system_requirements
https://support.solarwinds.com/Success_Center/Netflow_Traffic_Analyzer_(NTA)/NTA_Documentation/NTA_Upgrade_Guide
Should you have additional questions, feel free to let us know.
I assure you that this is not for a lack of interest or desire, but rather feasibility. The nature of the security vulnerability is within the information service itself, which is essentially central to how virtually all data is shared between modules and the Orion Platform. That means such a change is not isolated in any one place, but literally everywhere throughout the entire product. Anything which consumes or displays data needed to be updated. At that point, this is no longer a 'patch'. That's an entirely new release.
I agree that would be a whole new version and not a "patch", but I believe the reason it's frustrating to many customers is because the new version that fixes this vulnerability requires Server 2016 or newer, while the version affected by the vulnerability runs on Server 2012. Server 2012 doesn't reach end of life until Oct 2023 so many customers haven't upgraded to Server 2016 yet, and therefore can't upgrade to the new version of NPM until they upgrade their OS, which is going to need to happen much earlier than expected.
That's a fair point AMidnightSoul, however there is a valid, and fairly simple mitigation strategy for this vulnerability. Restrict access to TCP Port 17777 exclusively to the Orion servers in the environment. This can be done using the Windows Firewall or on upstream routers and firewalls. With that one change alone you are protected from exploitation from this vulnerability.
