LEM v6.3.1 HOT FIX 4 IS NOW AVAILABLE

DownloadAvailable:

http://downloads.solarwinds.com/solarwinds/Release/HotFix/SolarWinds-LEM-v6.3.1-Hotfix4.zip

Hotfix 4 addressesthefollowingissues:

• Multiplevulnerabilityissues
• Agent-Managerconnectiontimeouts
• Incorrectfreediskspacevalueswhenrawloggingisenabled
• Somelogconnectorsrunningslowly

ToInstallHotfix 4 ontheLEMAppliance:

1. UsingtheLEMConsoleoranSSHclient (suchasPuTTY), logintoCMC.

a.  Atthecmc> prompt, enter: manager

       b.  Atthecmc::manager# prompt, enter: hotfix

2. Followtheinstructionsonyourscreen, providingthenetworkpathtoyourHotfix 4 filesandtheappropriatecredentialswithReadaccesstothispath.

1. a. Forexample: \\server\share\unzipped_hotfix_folder\hotfix
2. b. Ifyoureceiveamessagestatingthatnoupgradeswerefound, ensurethatyouenteredthecorrectpathtothefiles. Whencompleted, acmc: promptappears.

3. Reboottheappliance.

     a.  Exitthecmc::manager# promptoratthecmc# prompt, enter: appliance

     b.  Attheprompt, enter: reboot

ToinstallHotfix 4 ontheLEMAgents, useoneofthefollowingmethods:

1. Usetheauto-upgradefeaturetoautomaticallyupgradeAgentsifthefeatureisenabled.

2. Iftheauto-upgradefeatureisdisabled, oriftherearecommunicationissuesbetweenagentsandtheLEMManager, followthemanualinstallationstepsincludedinthe "InstallHotfix 4 onAgents (manualsteps)" sectionoftheReadMeincludedinthehotfixdownload.

MitigationandUpgrades

To mitigate these issues, SolarWinds recommends upgrading to the latest version of LEM, v6.3.1 & applying Hotfix 4. SolarWinds also recommends changing the CMC password to ensure default credentials are not in use.

VulnerabilityOverview

Asofthedateofthisannouncement, SolarWindsisnotawareofanyinstancewherea vulnerabilityremediedinHotfix 4 hasbeenactivelyexploited.

CommonVulnerabilitiesandExposures (CVE) identifiersforthevulnerabilitiesremediedarenotavailableatthetimeofthisannouncement, butwillbeaddedonceassignedbyaCVENumberingAuthority. 

CreditStatement

SolarWindswouldliketocreditBakerHamiltonatBishopFox, MattBergin&HankLeiningeratKoreLogic&MehmetInceforreportingthesevulnerabilities.

ToreportapotentialvulnerabilitytoSolarWinds, pleaseemailPSIRT@solarwinds.com

Descriptions

CMCcommandinjection– allowsanattackertoinjectcommandstoescapetherestrictedshell.

Arbitrarycommandinjection– allowsanauthenticatedusertoexecutearbitrarycommandsfromtheCMCrestrictedshell - CVE-2017-7647

AccessControl– allowsanauthenticatedusedtobrowsetheLEMserver’sfilesystemandreadcontentsofarbitraryfiles - CVE-2017-7646

PostgresDatabaseService– allowshardcodedcredentialsaccesstothePostgresdatabaseserviceviaIPv6. IPv4 isnotaffectedbythisvulnerability.

ArbitraryFileRead– allowsanattackertoedittheSSHlogonbanner&readarbitraryfiles.

PrivilegeEscalation– allowsanattackertoruncertaincommandsasaprivilegeduser - CVE-2017-5198 & CVE-2017-5199.

CumulativeHotfix

ThefollowingfixesfromHotfix 1, Hotfix 2, andHotfix 3 arealsoincludedinthisHotfix:

• SchedulednDepthsearch resultslimitedto 50,000 events.
• FixedImportCerterrorwhenimportingcertificateaftercommandfailure.
• FixedanissuethatdisplaytheIPaddressinsteadoftheFQDN/hostnamein 'AllInstalledAgents'.
• FixedanissuewhenanL4 Databaseappliancestartedwithonly 128MBofmemory.
• UpdatestheJavaplatformtothelatestversion.
• Fixedanout-of-memoryissuethatoccurswhensendingalertstotheconsole. Thefiximprovesperformancewhenalargenumberofeventsaresenttotheconsole.
• Fixedagent-managercommunicationissues - periodicdisconnectandothers.
• FixedanissuewithnDepthlogretention (loggingmissingdateinrawrecords).
• FixedanissuethatpreventsloggingintoLEMifusingUserPrincipalNamewithacustom alias orSAMAccountNamewithNETBIOS.
• Addedtheabilitytousesub-aliasLDAPenvironments.
• Removedfieldlimitationsinthenormalizedalertdatabase.
• Fixedalogrotateissuethatcausesconnectorstostopworkingifloglinesaretoolong.
• Fixedasinglesign-on SSO issuethatoccursifaKerberosticketisunusuallylongbecauseauserbelongstomanygroups.
• AddedtheabilitytoconfigurecustomLDAPgroupsforauthentication.
• Setanagentmemorylimitforagentsupgradedfromolderversions.
• Fixedotheragent-managercommunicationissues.
• Additionalimprovementstoassistcustomersupport, includingimprovedlogging & addeddiagnostics.
• Thethreat-feedsservercertificatechanged - LEMcannotdownloadthread-feedsIPs.
• UnabletouseadomaincontainingadashintheLDAPconfiguration.
• UnabletorecoverapasswordwhenHTTPisdisabled.
• Exceptionsduringafastevaluationarenotlogged.

Notes:

• ThisfixisapplicabletoLEM 6.3.1 only