• State Verified Answer
  • Locked Locked
  • Replies 36 replies
  • Subscribers 39 subscribers
  • Views 4292 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

SUNBURST version numbers for DLL's

christopher.t.jones123

It would be really beneficial if SolarWinds would outline the version numbers of the compromised DLL's, providing something that system administrators can validate now as well as post HF 2 upgrade. Could updating the Security Advisory with this information be added?

Additionally, I would love to see SolarWinds modify their downloads page for the product to reflect the package date for the executable you are downloading. I conducted an upgrade on 11/16/2020 and everything indicates that I am the latest HF currently available, but when I look at the Release Notes (states release was published on 10/29/20), Offline Installer Package (for the whole Orion Suite)(states 8/25/20 but I know if I download it and install it then I get HF's released after 8/25/20), and the HF Offline Installer (has a date of 11/25/20). None of the dates match!!! 

  • 0

    Until the Hotfix is released, it would be premature to list specific DLL version numbers because there would be no remediation available.  However, if your software appears on the Security Advisory page, you should assume that it might be bad and should move to the Orion Core Hotfix 2 when it is released (currently scheduled for December 15 according to the previous link).

  • 0 in reply to KMSigma.SWI

    The security advisory also reads that you should "scan their environment for the affected file: SolarWinds.Orion.Core.BusinessLayer.dll. If you locate this .dll, you should immediately upgrade to remove the affected file."  Is that accurate? Remove SolarWinds.Orion.Core.BusinessLayer.dll regardless of the version??

  • 0 in reply to nerengm

    Thanks for pointing out the confusion. We're working on getting the security advisory updated to be clearer on this point.

  • 0 in reply to nerengm

    When the hotfixes are available, stop all Orion services and you can delete all copies of that file. A new, replacement one will be part of the software patching. Once complete you should only have a single version of that file anywhere in your monitoring infrastructure.

    Alternatively, if elect to not manually delete the files, you can grab the version before and after the upgrade to validate the change.  Replacing this and other core filled is a standard part of the upgrade process.

  • 0 in reply to KMSigma.SWI

     Thanks for the feedback. This request comes based on the Security Advisor listing the Orion Platform version numbers, it seems SolarWinds users are finding it difficult to determine if they are on 2020.2.1 Hotfix 1 (the mismatching package dates on the products downloads page doesn't make this any easier), so maybe a list of affected DLL versions might assist.

    The verbiage in the Security Advisory would indicate that if I did a fresh install of SolarWinds straight to 2020.2.1 hotfix 1 then I would not meet the criteria of this statement."SolarWinds asks customers with any of the below products for Orion Platform v2020.2 with no hotfix or 2020.2 HF 1"

    Which SolarWinds can provide additional validation by providing the DLL version number that is affected. I mean, does this mean if I'm on 2020.2.1 Hotfix 1 I am safe? This is contradictory to everything else that has been provided and would indicate that I will not be safe until I apply the 2020.2.1 HF 2 when released. 

    I understand that ultimately regardless of the version you are currently on the recommendation is that once HF 2 is released you should upgrade to that, but the transparency in providing this level of detail would go a long way in assisting administrators and gaining back trust in the platform

  • 0 in reply to christopher.t.jones123
    And I get your request 100%, but there could be literally dozens of versions of that file. There's also a possibility that the bad DLL has mimicked a higher version number which would throw a list off. I'm of the mind that I will accept that are all suspect and only care about the new versions.

    I can probably get a full list, but that could take days, maybe weeks, so in the spirit of getting everyone safe as quickly as possible, my personal recommendation is to move up and validate that the version number is different from any previous.
  • 0 in reply to jason.carrier

    Does this mean that those on 2020.2.1 without hot fixes aren't affected? As it was presumably released after "Orion Platform v2020.2 with no hotfix or 2020.2 HF 1"?

    So in terms of chronology:

    2020.2 

    2020.2 HF1

    2020.2.1 - this version is "safe"?

    Obviously we'll apply HF2 when available but trying to understand the risk right now.

  • 0 in reply to prawij

    That's how I'm reading it currently.

  • 0 in reply to prawij

     , that's the way that I'm reading the current Security Advisor as well, but I'm not privy to the inner details.  Regardless, I'm sure that more details will accompany the actual release notes for Orion Core 2020.2.1 HF2.

  • 0 in reply to jason.carrier

    Yes it is unnecessarily confusing and points to a lack of version control or naming convention SOP which perhaps led to this mess.

    When I look at the bottom of my Orion site I see this:

    Orion Platform HF1, SAM HF1, NCM, Toolset, NPM HF1, NTA: 2020.2

    This seems to be the most up to date version, but the last update I applied was on June 28th if you look at the install date in the Windows Add/Remove programs UI on my Orion server.

    I downloaded the Solarwinds-Orion-HotFix-2020.2.1-OfflineInstaller.exe (again not following the standard, it should be 2020.2.HF.1 perhaps) which claims to have been built on Nov 25th and it indicated I already had the latest version installed when I tried to install it today.

    The DLL file as it exists on my system has a build date of May 11, 2020 11:33:50PM.

    Signing Cert Thumbprint: ‎47 d9 2d 49 e6 f7 f2 96 26 0d a1 af 35 5f 94 1e b2 53 60 c4

    SHA-256 Hash: ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 (FireEye indicates this is compromised but CISA does not?)

    File Version: 2020.2.5300.12432

    Giving us these specifics would save a lot of time and prevent the mouse chase.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.