Download Available:
http://downloads.solarwinds.com/solarwinds/Release/HotFix/SolarWinds-LEM-v6.3.1-Hotfix4.zip
Hotfix 4 addresses the following issues:
- Multiple vulnerability issues
- Agent-Manager connection timeouts
- Incorrect free disk space values when raw logging is enabled
- Some log connectors running slowly
To Install Hotfix 4 on the LEM Appliance:
1. Using the LEM Console or an SSH client (such as PuTTY), log in to CMC.
a. At the cmc> prompt, enter: manager
b. At the cmc::manager# prompt, enter: hotfix
2. Follow the instructions on your screen, providing the network path to your Hotfix 4 files and the appropriate credentials with Read access to this path.
- a. For example: \\server\share\unzipped_hotfix_folder\hotfix
- b. If you receive a message stating that no upgrades were found, ensure that you entered the correct path to the files. When completed, a cmc: prompt appears.
3. Reboot the appliance.
a. Exit the cmc::manager# prompt or at the cmc# prompt, enter: appliance
b. At the prompt, enter: reboot
To install Hotfix 4 on the LEM Agents, use one of the following methods:
1. Use the auto-upgrade feature to automatically upgrade Agents if the feature is enabled.
2. If the auto-upgrade feature is disabled, or if there are communication issues between agents and the LEM Manager, follow the manual installation steps included in the "Install Hotfix 4 on Agents (manual steps)" section of the ReadMe included in the hotfix download.
Mitigation and Upgrades
To mitigate these issues, SolarWinds recommends upgrading to the latest version of LEM, v6.3.1 & applying Hotfix 4. SolarWinds also recommends changing the CMC password to ensure default credentials are not in use.
Vulnerability Overview
As of the date of this announcement, SolarWinds is not aware of any instance where a vulnerability remedied in Hotfix 4 has been actively exploited.
Common Vulnerabilities and Exposures (CVE) identifiers for the vulnerabilities remedied are not available at the time of this announcement, but will be added once assigned by a CVE Numbering Authority.
Credit Statement
SolarWinds would like to credit Baker Hamilton at Bishop Fox, Matt Bergin & Hank Leininger at KoreLogic & Mehmet Ince for reporting these vulnerabilities.
To report a potential vulnerability to SolarWinds, please email PSIRT@solarwinds.com
Descriptions
CMC command injection – allows an attacker to inject commands to escape the restricted shell.
Arbitrary command injection – allows an authenticated user to execute arbitrary commands from the CMC restricted shell - CVE-2017-7647
Access Control – allows an authenticated used to browse the LEM server’s filesystem and read contents of arbitrary files - CVE-2017-7646
Postgres Database Service – allows hardcoded credentials access to the Postgres database service via IPv6. IPv4 is not affected by this vulnerability.
Arbitrary File Read – allows an attacker to edit the SSH logon banner & read arbitrary files.
Privilege Escalation – allows an attacker to run certain commands as a privileged user - CVE-2017-5198 & CVE-2017-5199.
Cumulative Hotfix
The following fixes from Hotfix 1, Hotfix 2, and Hotfix 3 are also included in this Hotfix:
- Scheduled nDepth search results limited to 50,000 events.
- Fixed ImportCert error when importing certificate after command failure.
- Fixed an issue that display the IP address instead of the FQDN/hostname in 'All Installed Agents'.
- Fixed an issue when an L4 Database appliance started with only 128MB of memory.
- Updates the Java platform to the latest version.
- Fixed an out-of-memory issue that occurs when sending alerts to the console. The fix improves performance when a large number of events are sent to the console.
- Fixed agent-manager communication issues - periodic disconnect and others.
- Fixed an issue with nDepth log retention (logging missing date in raw records).
- Fixed an issue that prevents logging in to LEM if using UserPrincipalName with a custom alias or SAMAccountName with NETBIOS.
- Added the ability to use sub-alias LDAP environments.
- Removed field limitations in the normalized alert database.
- Fixed a log rotate issue that causes connectors to stop working if log lines are too long.
- Fixed a single sign-on SSO issue that occurs if a Kerberos ticket is unusually long because a user belongs to many groups.
- Added the ability to configure custom LDAP groups for authentication.
- Set an agent memory limit for agents upgraded from older versions.
- Fixed other agent-manager communication issues.
- Additional improvements to assist customer support, including improved logging & added diagnostics.
- The threat-feeds server certificate changed - LEM cannot download thread-feeds IPs.
- Unable to use a domain containing a dash in the LDAP configuration.
- Unable to recover a password when HTTP is disabled.
- Exceptions during a fast evaluation are not logged.
Notes:
- This fix is applicable to LEM 6.3.1 only