Hackers getting in via NPM maybe

Parents
  • Anyone know anything about this?
    Rumors a patch may be coming concerning this
  • I'm kind of astounded that no official message - even just of acknowledgement - has been sent by Solarwinds to customers. Also, what rumors are you referring to? I haven't even seen an official list of affected products/versions. The article seems to indicate that something was piggybacked on update requests during a certain timeframe. Without more info, it's hard to do anything more refined than shut down the platform or remove all write privilege to service accounts.

  • Just logged a ticket with support. They indicate patches for 2019 and 2020 are coming 12/14 and 12/15 respectively. No other remediation steps available other than getting an updated .dll file from the Developers early. The updated .dll will be in the forthcoming patches.

  • Per Support:

    We have just been made aware that our systems experienced a highly sophisticated, manual supply chain attack on SolarWindsRegistered OrionRegistered Platform software builds for versions 2019.4 through 2020.2.1.

    If customers ask for an ETA when the vulnerability will be resolved, please use the info below to set expectations with them.
    • 2020.2 Hotfix 2 will be available on Tuesday, Dec 15th
    • 2019.4 Hotfix 6 will be available on Monday, Dec 14th
    • Customers needing an immediate fix for 2019.4 Hotfix 5 can install a DLL provided by Engineering (more info about this from Engineering to come)
    ----------------------------------------------------------------------------------------------

    As per our discussion this was the said date it will be release for the vulnerability fixed.
    For the immediate fixed we are still waiting for the official announcement from the Engineering regarding full details.
Reply
  • Per Support:

    We have just been made aware that our systems experienced a highly sophisticated, manual supply chain attack on SolarWindsRegistered OrionRegistered Platform software builds for versions 2019.4 through 2020.2.1.

    If customers ask for an ETA when the vulnerability will be resolved, please use the info below to set expectations with them.
    • 2020.2 Hotfix 2 will be available on Tuesday, Dec 15th
    • 2019.4 Hotfix 6 will be available on Monday, Dec 14th
    • Customers needing an immediate fix for 2019.4 Hotfix 5 can install a DLL provided by Engineering (more info about this from Engineering to come)
    ----------------------------------------------------------------------------------------------

    As per our discussion this was the said date it will be release for the vulnerability fixed.
    For the immediate fixed we are still waiting for the official announcement from the Engineering regarding full details.
Children
No Data