Introducing the Orion Platform 2020.2.6 Service Release

Our latest service release is the third release this year, and like the previous two, it focuses on hardening and improving the resilience of the Orion® Platform.

Our work so far this year has been a product of our Secure by Design program, crafted to address the emerging threat landscape.

2020.2.4 was released in January 2021, and together with the new digital code-signing certificate provided all necessary security fixes for SUPERNOVA and SUNBURST, originally released in 2020.2.1 HF 2 (released December 15, 2020). 

2020.2.5 followed in March 2021 and included a cumulative set of security improvements for the platform and for individual products, as well as some dashboarding improvements.

This current 2020.2.6 service release includes fixes for CVEs listed for the platform and for specific products in the Release Notes. There’s also broad hardening work designed to improve the resilience of your Orion Platform deployment and to help keep you and your data safe.

Collectively, these three releases prioritized security and hardening, and reflect the investment we’re making in evolving towards a Secure by Design culture.

 Hardening Work

In addition to the changes in the product build process outlined on the Secure by Design resources page, the software development teams have focused in multiple areas of the product to proactively harden the Orion Platform. Some of those areas include:

User Authorization

We improved the internal handling of user credentials and certificates, and the operations users are authorized to perform based upon their role or identity. The scope of our work covers the Orion Platform and multiple Orion Platform product modules and helps to correctly limit views of management data to individuals authorized to access it.

Improving our handling of authorization helps give customers the confidence to surface the right data to the right user, and manage risks associated with credential provisioning.

Cross-Site Scripting

Cross-site scripting (XSS) attacks the integrity of a user’s connection with the Orion Platform and can result in the injection of malicious code designed to execute on either the client browser, or on the server. We addressed the specific mechanisms designed to mitigate the risks of XSS, spanning the Orion Platform, and multiple of its modules.

Focusing on improvements to help secure the user’s connection is designed to provide the confidence to distribute information appropriately to users across the company.

Data Validation

Our data validation work focused in several areas. We addressed improvements in how data inputs are handled to ensure their integrity, and to maintain their integrity as they are stored or retrieved from the database. We also focused on improving protections for the integrity of data from malicious or inadvertent injection attacks on the database.

Improving data validation helps administrators to be confident that the data stored in the system is accurate and helps reduce the risks of data corruption – malicious or inadvertent.

Secure Data in Motion

Securing data in motion can include communications over the network and communications between processes on a server. We focused on improving the security of data communicated internally, or externally from the Orion Platform.

Securing data in motion supports data validation by reducing the risks of data leakage or tampering as processes share data.

Third-Party Packages

Third-party code packages are used for some standard, commodity functions to help improve the efficiency and consistency of common operations needed in multiple areas of our code. Our focus in this area was to examine and mitigate potential issues.

Examining these third-party packages and mitigating issues as identified helps gives our user confidence we’ve made appropriate use of shared, common functions we closely audit for secure implementation.

API Hardening

Application Programming Interfaces (APIs) provide controlled programmatic access to data, and they require authentication and authorization to provide access. We’ve added resiliency and enforced strict controls on both internal APIs and those exposed externally for integration.

By hardening these interfaces, we can continue to confidently expose them—and expand their functionality to support flexible integrations—while constantly working to make them even more resilient.

Denial of Service Hardening

A denial-of-service attack compromises the ability of a tool to properly function, and to respond to the user. Here, our hardening efforts also focused on resiliency and improving the Orion Platform’s responsiveness under this type of attack.

By supporting the overall resilience of the Orion Platform, we help mitigate the impact of these types of direct attacks.

 

Summary

With the delivery of these three service releases, you can expect to see CVEs called out explicitly in our release notes, and we’ll continue to identify opportunities to improve security and harden the product.

You can also expect us to update our “What We’re Working On” roadmap postings with information about new product features in progress. We’ll shift towards balancing the delivery of new product features within the framework of our Secure by Design process and continue to deliver security improvements in our ongoing releases.

The Server & Application Monitor and Virtualization Manager products are both releasing new features; follow the links to learn more about those. The Orion Platform also includes some improvements that benefit all Orion Platform users—check those out at the links above.

 As usual, this service release is available immediately in your Customer Portal.

You can review the release notes through the Customer Portal or navigate from the Orion Platform Release Summary.

Anonymous

Top Comments

Parents
  • In the release notes, it mentions that the Guest account was removed. Will this affect the DirectLink functionality? I know this may seem obvious, but I have always used the DirectLink as a guest account, hence my confusion.

Comment
  • In the release notes, it mentions that the Guest account was removed. Will this affect the DirectLink functionality? I know this may seem obvious, but I have always used the DirectLink as a guest account, hence my confusion.

Children
No Data
Unfiltered HTML