Introducing the Orion Platform 2020.2.6 Service Release

Our latest service release is the third release this year, and like the previous two, it focuses on hardening and improving the resilience of the Orion® Platform.

Our work so far this year has been a product of our Secure by Design program, crafted to address the emerging threat landscape.

2020.2.4 was released in January 2021, and together with the new digital code-signing certificate provided all necessary security fixes for SUPERNOVA and SUNBURST, originally released in 2020.2.1 HF 2 (released December 15, 2020). 

2020.2.5 followed in March 2021 and included a cumulative set of security improvements for the platform and for individual products, as well as some dashboarding improvements.

This current 2020.2.6 service release includes fixes for CVEs listed for the platform and for specific products in the Release Notes. There’s also broad hardening work designed to improve the resilience of your Orion Platform deployment and to help keep you and your data safe.

Collectively, these three releases prioritized security and hardening, and reflect the investment we’re making in evolving towards a Secure by Design culture.

 Hardening Work

In addition to the changes in the product build process outlined on the Secure by Design resources page, the software development teams have focused in multiple areas of the product to proactively harden the Orion Platform. Some of those areas include:

User Authorization

We improved the internal handling of user credentials and certificates, and the operations users are authorized to perform based upon their role or identity. The scope of our work covers the Orion Platform and multiple Orion Platform product modules and helps to correctly limit views of management data to individuals authorized to access it.

Improving our handling of authorization helps give customers the confidence to surface the right data to the right user, and manage risks associated with credential provisioning.

Cross-Site Scripting

Cross-site scripting (XSS) attacks the integrity of a user’s connection with the Orion Platform and can result in the injection of malicious code designed to execute on either the client browser, or on the server. We addressed the specific mechanisms designed to mitigate the risks of XSS, spanning the Orion Platform, and multiple of its modules.

Focusing on improvements to help secure the user’s connection is designed to provide the confidence to distribute information appropriately to users across the company.

Data Validation

Our data validation work focused in several areas. We addressed improvements in how data inputs are handled to ensure their integrity, and to maintain their integrity as they are stored or retrieved from the database. We also focused on improving protections for the integrity of data from malicious or inadvertent injection attacks on the database.

Improving data validation helps administrators to be confident that the data stored in the system is accurate and helps reduce the risks of data corruption – malicious or inadvertent.

Secure Data in Motion

Securing data in motion can include communications over the network and communications between processes on a server. We focused on improving the security of data communicated internally, or externally from the Orion Platform.

Securing data in motion supports data validation by reducing the risks of data leakage or tampering as processes share data.

Third-Party Packages

Third-party code packages are used for some standard, commodity functions to help improve the efficiency and consistency of common operations needed in multiple areas of our code. Our focus in this area was to examine and mitigate potential issues.

Examining these third-party packages and mitigating issues as identified helps gives our user confidence we’ve made appropriate use of shared, common functions we closely audit for secure implementation.

API Hardening

Application Programming Interfaces (APIs) provide controlled programmatic access to data, and they require authentication and authorization to provide access. We’ve added resiliency and enforced strict controls on both internal APIs and those exposed externally for integration.

By hardening these interfaces, we can continue to confidently expose them—and expand their functionality to support flexible integrations—while constantly working to make them even more resilient.

Denial of Service Hardening

A denial-of-service attack compromises the ability of a tool to properly function, and to respond to the user. Here, our hardening efforts also focused on resiliency and improving the Orion Platform’s responsiveness under this type of attack.

By supporting the overall resilience of the Orion Platform, we help mitigate the impact of these types of direct attacks.

 

Summary

With the delivery of these three service releases, you can expect to see CVEs called out explicitly in our release notes, and we’ll continue to identify opportunities to improve security and harden the product.

You can also expect us to update our “What We’re Working On” roadmap postings with information about new product features in progress. We’ll shift towards balancing the delivery of new product features within the framework of our Secure by Design process and continue to deliver security improvements in our ongoing releases.

The Server & Application Monitor and Virtualization Manager products are both releasing new features; follow the links to learn more about those. The Orion Platform also includes some improvements that benefit all Orion Platform users—check those out at the links above.

 As usual, this service release is available immediately in your Customer Portal.

You can review the release notes through the Customer Portal or navigate from the Orion Platform Release Summary.

Parents
  • So while I like the new updated UI for managing Custom Properties that is included in this release, there is a HUGE miss in it.  Honestly, I had no problem with the old Custom Property Editor, it was fine.  But, the new one seems to do exactly what the old one did and it definitely saves a few mouse clicks, which I appreciate.  

    Having said that, there is one single feature I have wished for in the Custom Property Editor for a very very very long time and it is not included in this new editor, which is extremely disappointing:  When working with entities that are children objects of Nodes, things like Interfaces, Volumes, and Application Monitors, I want to be able to filter/group/search/sort on Node Properties (both system properties and custom properties).

      There is no reason that shouldn't be quite easy to do considering throughout the product this can be done in other places.  The SWIS API itself has built in relationships between these child entities and their parent node tables, so why can't we access that in the Custom Property editor?

    As an example, when editing Application Custom Properties, why can't I filter by Node Vendor properties?  Or why can't I filter by Node Custom Properties?  Honestly, if you just left us the old custom property editor but added this feature in, I would be 1,000 times happier than getting a new UI version of the custom property editor.  

    Please, please please please add this ability.  It makes managing app/interface/volume custom properties so much harder without the ability to filter by node properties. I often have to go to silly extremes like creating copies of node custom properties in the Interface/Volume/App custom property tables and setting up an automated script that copies those node custom properties to the child entities' custom properties.  None of that would be necessary if you just added this quite simple feature into the Custom Property Editor. 

    How this did not make it into the new Custom Property Editor just blows my mind.  There are numerous Feature Requests dating back years and years for this and it just seems like a real no-brainer that would be appreciated by nearly every single Orion admin that has had to work with volume/interface/app custom properties before...  

  • Thank you for your feedback. This is a great example of a feature that doesn't necessarily show up on the front page of SolarWinds announcement, yet can be so crucial in the day to day administration of the tool. This is really true of Custom Properties in general for that matter. As a critical utility that feeds much of what we do in the platform it was important to do our best to ensure its integrity. This wasn't simply an exercise in making the same tool we had before "pretty" as we had some areas behind the scenes which also needed adjustment. While we did take the opportunity to enhance existing functionality, certain items did take priority. The Account Limitation Builder is one of those examples that needed to be modernized and a bit trickier than expected. The idea of adding Parent Object properties was discussed (even had mockups) and I agree would make a great addition here. In our conversations with customers, it has certainly come up from time to time. As you describe above, the power of the platform is  really drawing on that relational data to make it easier for those of us managing these complex environments. We will see what we can in a future release to accommodate this request. Please continue to share what changes would make valuable additions to you and your organization. We appreciate it.  

  • Yeah, I get it, and I'm glad to hear that it had some mockups and that you guys are really thinking about it.  It's just frustrating because as a person who has worked in Orion for almost 10 years now, this and a Manage Nodes page that lets us manage all object types instead of just Nodes are the two biggest features I've wanted.

    I hope it can make it in soon so that I can finally delete all my duplicate custom properties and my many automation scripts that copy the node custom properties down to the duplicate properties for Volumes/Interfaces/Applications.  

Comment
  • Yeah, I get it, and I'm glad to hear that it had some mockups and that you guys are really thinking about it.  It's just frustrating because as a person who has worked in Orion for almost 10 years now, this and a Manage Nodes page that lets us manage all object types instead of just Nodes are the two biggest features I've wanted.

    I hope it can make it in soon so that I can finally delete all my duplicate custom properties and my many automation scripts that copy the node custom properties down to the duplicate properties for Volumes/Interfaces/Applications.  

Children
No Data
Thwack - Symbolize TM, R, and C