This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.


Download Available:

Hotfix 4 addresses the following issues:

  • Multiple vulnerability issues
  • Agent-Manager connection timeouts
  • Incorrect free disk space values when raw logging is enabled
  • Some log connectors running slowly

To Install Hotfix 4 on the LEM Appliance:

1. Using the LEM Console or an SSH client (such as PuTTY), log in to CMC.

aAt the cmc> prompt, enter: manager

       bAt the cmc::manager# prompt, enter: hotfix

2. Follow the instructions on your screen, providing the network path to your Hotfix 4 files and the appropriate credentials with Read access to this path.

    1. a. For example: \\server\share\unzipped_hotfix_folder\hotfix
    2. b. If you receive a message stating that no upgrades were found, ensure that you entered the correct path to the files. When completed, a cmc: prompt appears.

3. Reboot the appliance.

     aExit the cmc::manager# prompt or at the cmc# prompt, enter: appliance

     bAt the prompt, enter: reboot

To install Hotfix 4 on the LEM Agents, use one of the following methods:

1. Use the auto-upgrade feature to automatically upgrade Agents if the feature is enabled.

2. If the auto-upgrade feature is disabled, or if there are communication issues between agents and the LEM Manager, follow the manual installation steps included in the "Install Hotfix 4 on Agents (manual steps)" section of the ReadMe included in the hotfix download.

Mitigation and Upgrades

To mitigate these issues, SolarWinds recommends upgrading to the latest version of LEM, v6.3.1 & applying Hotfix 4. SolarWinds also recommends changing the CMC password to ensure default credentials are not in use.

Vulnerability Overview

As of the date of this announcement, SolarWinds is not aware of any instance where a vulnerability remedied in Hotfix 4 has been actively exploited.

Common Vulnerabilities and Exposures (CVE) identifiers for the vulnerabilities remedied are not available at the time of this announcement, but will be added once assigned by a CVE Numbering Authority

Credit Statement

SolarWinds would like to credit Baker Hamilton at Bishop Fox, Matt Bergin & Hank Leininger at KoreLogic & Mehmet Ince for reporting these vulnerabilities.

To report a potential vulnerability to SolarWinds, please email


CMC command injectionallows an attacker to inject commands to escape the restricted shell.

Arbitrary command injectionallows an authenticated user to execute arbitrary commands from the CMC restricted shell - CVE-2017-7647

Access Controlallows an authenticated used to browse the LEM servers filesystem and read contents of arbitrary files - CVE-2017-7646

Postgres Database Service allows hardcoded credentials access to the Postgres database service via IPv6. IPv4 is not affected by this vulnerability.

Arbitrary File Read allows an attacker to edit the SSH logon banner & read arbitrary files.

Privilege Escalationallows an attacker to run certain commands as a privileged user - CVE-2017-5198 & CVE-2017-5199.

Cumulative Hotfix

The following fixes from Hotfix 1, Hotfix 2, and Hotfix 3 are also included in this Hotfix:

  • Scheduled nDepth search results limited to 50,000 events.
  • Fixed ImportCert error when importing certificate after command failure.
  • Fixed an issue that display the IP address instead of the FQDN/hostname in 'All Installed Agents'.
  • Fixed an issue when an L4 Database appliance started with only 128MB of memory.
  • Updates the Java platform to the latest version.
  • Fixed an out-of-memory issue that occurs when sending alerts to the console. The fix improves performance when a large number of events are sent to the console.
  • Fixed agent-manager communication issues - periodic disconnect and others.
  • Fixed an issue with nDepth log retention (logging missing date in raw records).
  • Fixed an issue that prevents logging in to LEM if using UserPrincipalName with a custom alias or SAMAccountName with NETBIOS.
  • Added the ability to use sub-alias LDAP environments.
  • Removed field limitations in the normalized alert database.
  • Fixed a log rotate issue that causes connectors to stop working if log lines are too long.
  • Fixed a single sign-on SSO issue that occurs if a Kerberos ticket is unusually long because a user belongs to many groups.
  • Added the ability to configure custom LDAP groups for authentication.
  • Set an agent memory limit for agents upgraded from older versions.
  • Fixed other agent-manager communication issues.
  • Additional improvements to assist customer support, including improved logging & added diagnostics.
  • The threat-feeds server certificate changed - LEM cannot download thread-feeds IPs.
  • Unable to use a domain containing a dash in the LDAP configuration.
  • Unable to recover a password when HTTP is disabled.
  • Exceptions during a fast evaluation are not logged.


  • This fix is applicable to LEM 6.3.1 only