Code Compromise - Why is guidance from SolarWinds different than that of DHS and SANS?

eroth

As of this morning 12/15/20202, SolarWinds is still saying the latest product with hotfix 1 is safe:

"We recommend taking the following steps related to your use of the SolarWinds Orion Platform:

SolarWinds asks customers with any of the below products listed as known affected for Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment."

However DHS and SANS say, “affected versions are 2019.4 through 2020.2.1 HF1”.

Hopefully DHS and the security community are just being overly-cautious. If 2020.2.1 HF1 is compromised and SolarWinds is leading customers to believe it is safe then their PR problems are going to be compounded.

jason.carrier

We're in the process of working with DHS and SANS to get their pages updated.

This article provides steps to address the vulnerability and the SolarWinds Security Advisory describes it in more detail.