On Tuesday, March 29, news of potential vulnerabilities in the Spring Framework was surfaced. The Spring Framework is a very popular framework used by Java developers to build modern applications and is owned by VMware.
Spring is providing regular updated via its support blog: Spring Framework RCE, Early Announcement
We have not received any reports of these issues from SolarWinds customers but are actively investigating. SolarWinds strongly recommends all customers disconnect their public-facing (internet-facing) installations of these SolarWinds products from the internet.
- Security Event Manager (SEM)
Additionally, we recommend users of these products ensure they are referencing our best practices and recommendations as follows:
- Security Event Manager (SEM): Please review the Secure SEM section of SEM Administrator Guide
SolarWinds is actively investigating these vulnerabilities and will provide regular updates as new information becomes available and is validated. Out of an abundance of caution, we are working on updates to these products to include the latest version of the Spring Framework the Spring team has made available today, and we will alert customers to its availability once completed.
For the most recent information, please see SolarWinds Trust Center Security Advisories | Spring4Shell in the SolarWinds Trust Center.