Has Solarwinds provided any details on the below CVE's or how to resolve them?
CVE-2021-25274
CVE-2021-25275
CVE-2021-25276
https://www.zdnet.com/article/solarwinds-patches-three-newly-discovered-software-vulnerabilities/
Ok looks like those three were addressed in 2020.2.4 per the release notes:
https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/release_notes/orion_platform_2020-2-4_release_notes.htm
Looks like 2020.2.4 was released on the 25th of Jan for this - however there is nothing specific about vulnerabilities fixed, was it just the new certificate that's included in 2020.2.4?
"The most severe vulnerability (CVE-2021-25275) could allow attackers to exploit a vulnerability in how Orion works with Microsoft Message Queue (MSMQ) to gain access to secured credentials in the backend and gain complete control over the entire Windows sever. This could be used to steal information or add new admin-level users to Orion.
A second vulnerability (CVE-2021-25274) could allow remote, unauthenticated users to run code in a way that allows the complete control of the underlying Windows operating system. This again could lead to unauthorised access to sensitive systems and servers."
https://www.solarwinds.com/securityadvisory
This isnt very clear whether or not 2020.2.1 HF2 is vulnerable. The table makes it look like 2020.2.4 is only to update the cert but the release notes mention the vulnerabilities. Frustrating again!!
Yes, personally I think the Security Advisory page should be updated to emphasize that 2020.2.4 should be upgraded to immediately. And we should have received communications from SolarWinds that 2020.2.4 is available - back on the 25th of January.
