cancel
Showing results for 
Search instead for 
Did you mean: 

SolarWinds Heartbleed impact roll-up - (Executive summary: Don't worry)

Level 17

SolarWinds takes security seriously, and in addition to performing exhaustive internal security testing, we do our best to respond swiftly to any reported issue. With the recent heartburn around Heartbleed, the development teams at SolarWinds have been working feverishly to determine if any of our products are affected. For those out there that may have missed the news, a few days ago a high-severity vulnerability in many versions of OpenSSL was made public- and dubbed "Heartbleed." If you have a system serving up SSL content, you may well be impacted. Since the details have been covered ad-nauseam by a variety of sources, we won't go into the nitty-gritty, but good primary source material may be found here: http://heartbleed.com/

While we do ship an OpenSSL library in our core platform that would be affected, it is not exposed as a service and is used in a limited outbound capacity. Because of this reason and our failure to locate any vulnerabilities during the course of our research we believe our products are not vulnerable to Heartbleed. Despite having zero known exposure to the vulnerability, we have released an OpenSSL library fix for Core to further put everyone's mind at ease: http://downloads.solarwinds.com/solarwinds/Release/HotFix/OpenSSL-Security-HotFix.zip

[Revised 6/12/14 10:45am CST to include 1.0.1h]

As everyone here hopefully is aware, we take community transparency quite seriously. In that spirit, please find below matrix:

ProductVersionStatusDisposition
Alert CentralOK
DameWareOK
DPA (formerly Confio Ignite)OK
EOCOK
FSMOK
FTP VoyagerOK
IPAM>Core 2012.2OKOrion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.
ipMonitorOK
Kiwi CatToolsOK
Kiwi SyslogOK
LEMOK
Mobile Admin ServerOK
n-CentralOK
NCM>Core 2012.2OKOrion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.
NPM>Core 2012.2OKOrion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.
NTA>Core 2012.2OKOrion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.
NTMOK
Patch ManagerOK
SAM>Core 2012.2OKOrion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.
Serv-UOK
SFTP/SCP Server Free tool1.0.3.20 - 1.0.4.31OKSFTP/SCP Server 1.0.3.20 - 1.0.4.31 does contain OpenSSL 1.0.1e library, however only for internal encryption. No external SSL service is referenced, therefore not vulnerable.
Free SSH ClientOK
Storage ManagerOK
TFTP Server Free toolOK
Engineer's Toolset10.9.1 - 11.0.0OKSFTP/SCP Server in Toolset 10.9.1 - 11.0.0 does contain OpenSSL 1.0.1e library, however only for internal encryption. No external SSL service is referenced, therefore not vulnerable.
UDT>Core 2012.2OKOrion Core >2012.2 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.
Virtualization ManagerOK
VNQM>Core 2012.2OKOrion Core does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.
WebHelpDeskOK
WPM>Core 2012.2OKOrion Core does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.2 and earlier do not contain affected OpenSSL library.

As always, please let us know if you have any questions or concerns, and we will address them straight away.

5 Comments
Level 11

Thank you for being so prompt and letting us know

Level 12

We really need this update.

Level 12

prowess.... thanks for sharing this update..........

Level 8

Heartbleed has client-side vulnerabilities beyond the more well known server-side issues.  Since you have been shipping an affected version of the OpenSSL library in your products, has this been considered in your above statements that your products are not affected?

Level 18

jmlivingston, great question.  Yes.  Based on our investigation, the products that have/ship with a vulnerable version of OpenSSL are NOT using the library in a way that executes the vulnerable code - both for client-side or server-side vulnerabilities.

Even so, we are still releasing hotfixes for the products that are shipping vulnerable OpenSSL versions just to be safe.

Please keep the questions coming.  We know this is top of mind for all our customers right now, so we want to ensure we've addressed all concerns.

Thanks,

-Chris

About the Author
Former SolarWinds IT Former SolarWinds PM Current Director of PM @ Vyopta