The SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users to access Orion.WebCommunityStrings SWIS schema object and obtain sensitive information.

Release date: April 18, 2023

These release notes describe the new features, improvements, and fixed issues in SolarWinds Platform 2023.2. They also provide information about upgrades and describe workarounds for known issues.

Learn more

*   For information on latest hotfixes, see SolarWinds Platform Hotfixes.
*   For release notes for previous SolarWinds Platform versions, see Previous Version documentation.
*   For information about requirements, see SolarWinds Platform 2023.2 System Requirements.
*   For information about working with the SolarWinds Platform, see the SolarWinds Platform Administrator Guide.

**New features and improvements in SolarWinds Platform**

Return to top

SolarWinds Platform 2023.2 offers the following improvements compared to previous releases of SolarWinds Platform.

*   Security improvements for external alert actions. Only users with server admin rights are able to create new external actions. See Approve alert actions executing a script.
    
*   SMTP authentication improvements
    
*   SSH security improvements
    

**Other improvements**

*   SolarWinds Platform Agent now supports RHEL 9.0.
    
*   Credential API now supports SAM.
    

**New customer installation**

Return to top

For information about installing SolarWinds Platform, see SolarWinds Installer.

**How to upgrade**

Use the SolarWinds Installer to upgrade your entire SolarWinds Platform deployment (all SolarWinds Platform products and any scalability engines) to the current versions.

You must be on Orion Platform 2020.2.1 or later to upgrade to SolarWinds Platform 2023.2. If you are on Orion Platform 2020.2 or earlier, first upgrade to 2020.2.6 and then upgrade to 2023.2.

**Before you upgrade from 2020.2.x**

*   Before upgrading from Orion Platform 2020.2.6 and earlier to SolarWinds Platform 2022.3 or later, make sure the database user you use to connect to your SQL Server has the **db create** privilege. **Without this privilege, the upgrade will not complete.**
    
*   The legacy syslog and traps functionality has been retired and replaced with new functionality called SolarWinds Log Viewer, which can be upgraded to Log Analyzer for additional capabilities. Current rules and history will automatically be migrated to the new logging functionality (SolarWinds Log Viewer or Log Analyzer). The functionality of SolarWinds Log Viewer and Log Analyzer has been improved to more closely match legacy functionality. See LA 2022.3 release notes for details.
    
    If you built syslog and trap alerts using custom SQL queries, they will not function after upgrading to 2022.3 or later. SolarWinds recommends you rewrite the alerts using SWQL (Orion.OLM entities) or using the alerting functionality built into Log Viewer/Log Analyzer.
    
*   Some upgrade situations from the Orion Platform to the SolarWinds Platform are not supported and the installer will stop the upgrade automatically.
    *   If you have a SQL Server older than 2016.
    *   If you have an Orion Platform product version 2020.2 or earlier.

**Fixed issues**

Return to top

SolarWinds Platform 2023.2 fixes the following issues.

 

Case Number

Description

1279130, 1281943,1287850,1290108, 1291149, 1301934, 1302724, 1306120, 1309026

The issues with saving the configuration archive on a network share were addressed.

1286152, 1288976, 1289910, 1290594, 1291107, 1297401, 1307087

The issue where date and time in custom reports did not match the format specified in Time Period was addressed.

1257590, 1280347

The issue where database maintenance was failing after the upgrade was addressed.

1121180

The issues with Azure Cloud Details views were addressed.

1232029

Removed SolarWinds Platform Agent plugins are marked for uninstallation after the upgrade.

1289446

The issue where SolarWinds Administration Service read and wrote the package type to an incorrect registry path was addressed.

1272370, 1273749

The issue where importing alerts with SQL macro variables was blocked for Admin users was addressed.

842639

The issue where time zones of SQL server and SolarWinds Platform polling engines showed a warning even when the zones were the same was addressed.

1052957, 1240424, 1245960, 1246538, 1256606, 1257671, 1266763, 1276328, 1267382, 1279002, 1280926, 1281291, 1283928, 1288216, 1290612, 1291755, 1295777, 1296218, 1297821, 1297859

SolarWinds Information Service performance issues when users without admin rights use PerfStack were addressed.

1270128

The issue where the Configuration Wizard failed when configuring the website because of an applicationHost.config error was addressed.

894237

The issue where Global search could not be disabled on some pages was addressed.

1278031

The issue where users could not set up new alerts using DateTime was addressed.

1229785, 1244480, 1274324

The issue where manually created connections on Maps only showed when the Auto-Generated connection box was selected was addressed.

1264223, 1279159

The issue where scalability engines could be upgraded to the version installed on the main polling engine when upgrades for the main polling engine were available was addressed.

N/A

The issue where the name of sender was not specified for some out-of-the-box alerts was addressed.

1125893, 1220248, 1239230, 1244512, 1249564, 1251466, 1254246, 1258643, 1258669, 1260390, 1261995, 1262474, 1264367, 1265533

The partition management during the Database Maintenance was optimized.

The issue where installation/upgrade failed because of a locked file was addressed.

1241480

The issue where the send trap alert action stops working after the upgrade from 2020.2.6 was addressed.

1236663, 1236783, 1241870, 1242442, 1244793, 1249353, 1251317, 1273624

The issue when attempting to add accounts was addressed.

1207061

The installation error while running the centralized upgrade was addressed.

1249722

The issues with the "less than X objects meet the condition" condition in alerts were addressed.

1245612, 1248898

The issues with the Configuration Wizard launching automatically was addressed.

1244008

The issue where custom charts changed behavior was addressed.

1229115

The issue where AmsProxy logs stopped logging on log level change was addressed.

1237514, 1243831, 1245680, 1274269, 1289216

The issue where the node last boot was displayed using UTC was addressed. Last boot is displayed using the local time.

1154578

The issue with loading Subcategory when creating a ServiceNow incident was addressed.

826160, 864527, 873077

The issue where no error message was displayed when the upgrade failed was addressed.

1239689, 1279354

The issue where the Permission Checker fails on upgrade from 2020.2.6 for additional polling engines was addressed.

1228441

The issue where the category was not parsed correctly in All Nodes widgets was addressed.

1234160, 1254686

The issue where proportional widgets do not parse statuses was addressed.

1205283

The issue where Windows Agents generated high CPU usage was addressed.

1228673

The issue where the installation fails if there is another suspended MSI installation in the system was addressed.

1214950

The issue where latency between polling engines was incorrectly indicated on the main server was addressed.

1216266

The issue with time zones of SQL server and the main polling engine was addressed.

1187919, 1209102

The issue with Fortinet Fortigate 101E incorrectly polling IP addresses was addressed.

1202271, 1246753, 1256631, 1259934, 1263843, 1282054, 1289795

The issue where scheduled unmanaging issues caused false positive alerts was addressed.

1217121, 1291663

The issue where upgrade from 2020.2.6 fails in the Circuit wizard when the bound HTTPS certificate is not available on the system anymore was addressed.

1194008

The issue where administrators could update the database with queries in the Add/Edit Report wizard was addressed.

1186572, 1288230

The issue where users could not save changed rows in Manage Entities was addressed.

1154256

The issue where users could not change the SNMPv3 credentials set for a node was addressed.

930171, 990401, 1048906, 1054670, 1095761, 1102507, 1208626

The issues with obsolete records in Cortex documents were addressed.

1163369

The issues with assigning a new dashboard as the default summary view were addressed.

1150632

The issue where the testing credentials for the execute external program alert action triggered the action instead of only validating the credentials was addressed.

1106632

The issues with using SQL/SWQL variables in the SMS alert action were addressed.

1128730

The issue where the Active Diagnostics test "Check Engines and OrionServers integrity" was case-sensitive was addressed.

1198603, 1204150, 1226617, 1228488, 1269783, 1278674, 1279332

The issue where the PerfStack real-time polling ignored account permissions was addressed.

1088944

The issue where volume charts behave differently for administrators and non-administrators was addressed.

318702, 874297, 932513, 1076268, 1200393

The issue where audit events for alert suppression showed time in UTC was addressed.

773793, 916997, 1092088

The issue where High Availability applications and components are not licensed was addressed.

631312, 807280, 817116, 1048102, 1051103, 1133802

The issues with latest baseline graphs were addressed.

**CVEs**

SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

    

CVE-ID

Vulnerability Title

Description

Severity

Credit

CVE-2022-47509

SolarWinds Platform Incorrect Input Neutralization Vulnerability

The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.

4.3 Medium

Juampa Rodriguez (@UnD3sc0n0c1d0)

CVE-2022-36963

SolarWinds Platform Command Injection Vulnerability

The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands.

8.8 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2022-47505

SolarWinds Platform Local Privilege Escalation Vulnerability

The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability. This vulnerability allows a local adversary with a valid system user account to escalate local privileges.

7.8 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2023-23839

SolarWinds Platform Exposure of Sensitive Information Vulnerability

The SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users to access Orion.WebCommunityStrings SWIS schema object and obtain sensitive information.

6.8 Medium

 

**Known issues**

Return to top

 

1310500

Configuration Wizard stops progressing

**Issue**: When you upgrade to 2023.2 RC1, the Configuration Wizard stops progressing, usually at 0-5% complete.

**Workaround**:

1.  Cancel the Configuration Wizard, for example by ending it in the Task Manager.
2.  Find INSTALL_PATH]\SWNetPerfMon.DB, for example in C:\Program Files (x86)\SolarWinds\Orion\SWNetPerfMon.DB, and open it for editing.
3.  Remove all empty lines from the bottom of the file and save your changes.
4.  Run the Configuration Wizard.

**End of life**

Return to top

For modules based on Orion Platform 2020.2.6 and earlier, SolarWinds is announcing future end-of-life plans for your convenience. As always, SolarWinds recommends you upgrade to the latest version of your products at your earliest convenience.

   

Version

EOL Announcements

EOE Effective Dates

EOL Effective Dates

2020.2.6

**April 18, 2023**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.6 should begin transitioning to the latest version of SolarWinds Platform.

**May 18, 2023**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.6 will no longer be actively supported by SolarWinds.

**May 18, 2024**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.6

2020.2.5

**January 18, 2023**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.5 should begin transitioning to the latest version of SolarWinds Platform.

**February 17, 2023**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.5 will no longer be actively supported by SolarWinds.

**February 17, 2024**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.5.

2020.2.4

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.4 should begin transitioning to the latest version of SolarWinds Platform.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.4 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.4.

2020.2.1

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.1 should begin transitioning to the latest version of SolarWinds Platform.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.1 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.1.

2020.2

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2 should begin transitioning to the latest version of SolarWinds Platform.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.

See the End of Life Policy for information about SolarWinds product lifecycle phases. For supported versions and EoL announcements for all SolarWinds products, see Currently supported software versions.

**End of support**

Return to top

This version of SolarWinds Platform no longer supports the following platforms and features.

 

Type

Details

Browser support

All versions of Internet Explorer are no longer supported.

**Deprecation notices**

Return to top

This version of SolarWinds Platform deprecates the following platforms and features.

Deprecated platforms and features are still supported in the current release. However, they will be unsupported in a future release. Plan on upgrading deprecated platforms, and avoid using deprecated features. 

 

Type

Details

Network Atlas

Network Atlas is deprecated as of Orion Platform 2020.2. It is still available and supported in the current release, but will be removed in a future release. Deprecation is an indication that you should avoid expanded use of this feature and formulate a plan to discontinue using the feature. SolarWinds recommends that you start using SolarWinds Platform Maps in the SolarWinds Platform Web Console to display maps of physical and logical relationships between entities monitored by the SolarWinds Platform products you have installed.

Port 17778

SWIS REST Endpoint on port 17778 is deprecated as of 2023.1 and will be replaced with port 17774 in a future release. SolarWinds recommends that you start migrating SWIS REST Endpoint to port 17774.

**Legal notices**

Return to top

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2023-23839: SolarWinds Platform 2023.2 Release Notes

### Impact
SQL filtering vulnerability, a BO user can write, update and delete in the database, even without having specific rights.

### Patches
PrestaShop 8.0.4 and 1.7.8.9 will contain the patch.

### Workarounds
no

### References
no


**SQL filter bypass leading to arbitrary write requests using "SQL Manager"**

Critical severity GitHub Reviewed Published Apr 25, 2023 in PrestaShop/PrestaShop • Updated Apr 25, 2023

GHSA-p379-cxqh-q822: SQL filter bypass leading to arbitrary write requests using "SQL Manager"

PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds.

**Package**

composer prestashop/prestashop (Composer)

**Affected versions**

< 8.0.4

**Patched versions**

8.0.4, 1.7.8.9

**Description**

**Impact**

SQL filtering vulnerability, a BO user can write, update and delete in the database, even without having specific rights.

**Patches**

PrestaShop 8.0.4 and 1.7.8.9 will contain the patch.

**Workarounds**

no

**References**

no

CVE-2023-30839: SQL filter bypass leading to arbitrary write requests using "SQL Manager"

A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server.

**Security Advisory - CVE-2021-23166**

**Affects**: Odoo 15.0 and earlier (Community and Enterprise Editions)  
**CVE ID**: CVE-2021-23166  
**Component**: Core  
**Credits**: Nils Hamerlinck (Trobz)

A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise  
15.0 and earlier allows authenticated administrators to read and write  
local files on the server.

**I. Background**

Odoo uses the Python library psycopg2 to interact with the PostgreSQL database.

**II. Problem Description**

The pyscopg2 library could be abused to access the local files of the server  
running the Odoo instance.

**III. Impact**

**Attack Vector**: Network exploitable  
**Authentication**: Privileged user account required  
**CVSS3 Score**: high :: 8.7  
**CVSS3 Vector**: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

A malicious administrator might be able to read or modify sensitive files stored  
on the server such as protected configuration secrets.

Systems who host Odoo databases for untrusted users are particularly at risk,  
(e.g. SaaS platforms), as they typically allow users to become administrators  
of their own Odoo database. This is sufficient to exploit the vulnerability.

Odoo S.A. is not aware of any use of this vulnerability in the wild.

**IV. Workaround**

No workaround is available, updating to the latest revision or applying the  
corresponding patch is strongly recommended.

Odoo Cloud servers have been patched as soon as the correction was available.

**V. Solution**

Update to the latest revision, either via GitHub or by downloading it:  
https://www.odoo.com/page/download  
If updating is not an option, you may instead apply the patch corresponding  
to your Odoo installation (links provided below).

For the actual update procedure, please refer to our update instructions, valid  
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html

**VI. Correction details**

The following list contains the patches that fix the vulnerability for  
each version:

*   13.0: c306ce2
*   14.0: 1f1e03f
*   15.0: 0122cb3
*   15.0-ent, 14.0-ent, 13.0-ent (Enterprise): see 15.0, 14.0 and 13.0.

CVE-2021-23166: [SEC] CVE-2021-23166 - A sandboxing issue in Odoo Community 15.0 and... · Issue #107687 · odoo/odoo

No exception handling vulnerability which revealed sensitive or excessive information to users.

Release date: April 18, 2023

These release notes describe the new features, improvements, and fixed issues in Database Performance Analyzer 2023.2. They also provide information about upgrades and describe workarounds for known issues.

**Learn more**

*   For information on the latest hotfixes, see DPA hotfixes.
*   For information about requirements, see DPA system requirements.
*   For information about working with DPA, see the DPA Administrator Guide.

**New features and improvements in DPA**

Return to top

DPA 2023.2 includes the following changes.

**Additions to systems requirements and monitored instances**

 

Category

Vender and version

Repository database

Amazon RDS for MySQL 8.0

Monitored database instances

EDB Postgres 14

For more information, see the DPA 2023.2 system requirements and Database instances DPA can monitor.

**Security enhancements**

DPA 2023.2 includes security enhancements, including:

*   **HTTPS connections are now required.**
    
    To improve security, DPA 2023.2 accepts only HTTPS connections. Any attempts to connect using the HTTP connector port are automatically redirected to the HTTPS connector port.
    
    If you are upgrading from a previous version, please complete the tasks under Before you upgrade to ensure that all users can access DPA and that DPA Central can connect to all DPA servers.
    
*   **Tomcat and MS JDBC Driver are upgraded.**
    
    DPA now includes Tomcat 8.5.85 and MS JDBC Driver 12.2.0.
    

**Support for SAML authentication with Azure AD as the identity provider**

To configure DPA to use SAML authentication with Azure AD as the identity provider, see this topic.

**Fixed issues**

Return to top

DPA 2023.2 fixes the following issues.

 

Case number

Description

01206958, 01245439, 01265950

When DPA is monitoring a database instance on a VM with a large number of disks, the vSphere cleaner job runs as expected and cleans VM disk metrics for each granularity (seconds, 10 minutes, hours, days). This job removes old data from the DPA repository database, which prevents the repository from growing at a high rate and consuming excessive space and memory on the repository server.

01190371

Monitoring a Sybase database instance no longer fails with the error Monitor attempting to start - see log.

00960237

Monitoring an Oracle database instance no longer fails with the error Monitor for database [DB_name] failed in job [TextPollJob] due to [Underlying datasource has not been set.].

01200056

Configuring an Azure SQL DB repository database no longer fails because of missing properties. DPA automatically adds the required JDBC URL properties in the Advanced Connection Properties dialog box.

01105926, 01183265, 01225013, 01234101, 01241730

Health, connection status, and other data about monitored SQL Server Availability Groups (AGs) is updated as expected in the Availability Group Summary view.

01256667

When you are registering a database instance for monitoring and the com.confio.ignite.jdbc.sqlserver.useJtdsDriver property value is set to true in the system.properties file, DPA honors this setting and uses the jTDS JDBC driver.

01235456

DPA sorts index advisors based on the estimated time savings, listing advisors with the largest estimated savings first.

01179091, 01235460

DPA index advisors no longer display estimates savings percentages that are greater than 100%. When DPA detects that information from the database vendor is inconsistent, DPA displays 'Unknown'. For more information, see this KB article.

01183457, 01191341, 01194479, 01217066, 01311041

DPA index analysis no longer fails with errors such as Unable to run index analysis or Out of range value for column 'CARDINALITY' in the logs, and it no longer shows no recommendation when the table advisor recommends indexes.

01174998, 01179091

This release fixes an issue that caused DPA index advisors to recommend creating indexes that already existed or to create indexes that included table columns that did not exist.

01181748

DPA index analysis recommendations are no longer displayed one day and then missing the next even though the recommended indexes were not created.

01142556, 01166969, 01172735, 01273937

When deadlock alerts occur, DPA lists the deadlocks on the Deadlocks tab.

**SolarWinds CVEs**

   

CVE-ID

Vulnerability Title

Description

Severity

CVE-2023-23837

No Exception Handling Vulnerability

No exception handling vulnerability which revealed sensitive or excessive information to users.

Medium

CVE-2023-23838

Directory traversal and file enumeration vulnerability

Directory traversal and file enumeration vulnerability which allowed users to enumerate to different folders of the server.

Medium

**Third-party CVEs**

SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

   

CVE-ID

Vulnerability Title

Description

Severity

CVE-2020-26870

URL redirection vulnerability

Due to vulnerable Swagger UI version 3.27.0, URL redirection was possible, which can help attackers modify a URL and redirect a user to any other malicious site.

High

**New customer installation**

Return to top

For information about installing DPA, see the DPA Installation and Upgrade Guide. You can download a free trial from the SolarWinds website.

**Before you upgrade!**

DPA 2023.2 includes fixes that might require changes to your DPA deployment. Before you upgrade, determine if you need to make the following changes:

*   If any users access DPA using HTTP (instead of HTTPS), redirect connection attempts that use the HTTP connector port.
    
*   If DPA Central is configured to access any DPA servers using HTTP, update the connection definitions.
    
*   If you monitor Db2 instances, update the permissions of the DPA monitoring user for each Db2 instance.
    

You can make these changes either before or after an upgrade. However, to ensure DPA availability and to avoid any gaps in monitoring Db2 instances, SolarWinds recommends making them **before** you upgrade to 2023.2.

**Redirect connection attempts that use the HTTP connector port**

To ensure that DPA is available to users who previously connected over HTTP, update the server.xml file to redirect traffic to the HTTP connector port (8123 by default) to the HTTPS/SSL connector port (8124 by default).

If the redirect is **not** added and users attempt to connect over HTTP after the upgrade, they will receive a message that the site can't be reached.

1.  Open the following file in a text editor:
    
    _DPA-install-dir_\iwc\tomcat\conf\server.xml
    
2.  Locate the Connector property below <!--HTTPS/SSL connector>, and note the port value. (By default, this is 8124.)
    
3.  Locate the Connector property below <!--HTTP connector>. Within the Connector property, add the following, where hpptsPortNumber is the port value noted in the previous step:
    
    redirectPort="hpptsPortNumber"
    
    For example:
    
    redirectPort="8124"
    
4.  If you make these changes after the upgrade, restart DPA for the changes to take effect.
    

**Update DPA Central connections to DPA servers**

If you use DPA Central, ensure that it is configured to connect to all DPA servers over HTTPS.

1.  Determine if DPA Central is configured to connect to any DPA servers over HTTP:
    
    1.  From the DPA menu in the upper-right corner, click Central.
        
    2.  Click Manage Central.
        
    3.  Verify that every server has a lock in the SSL column. If a server's SSL column does not display a lock, DPA Central is configured to connect to that server over HTTP.
        
2.  If one or more servers are configured to use HTTP, update each server's connection properties:
    
    1.  In the Registered Servers list, click the server's display name to open the Edit Server dialog.
        
    2.  Change the Port value to the port used for HTTPS connections (8124 by default).
        
    3.  Select SSL.
        
    4.  Click Save.
        

**Update the permissions of the DPA monitoring user for each Db2 instance**

DPA 2023.2 replaces six of the deprecated SNAP* functions that previous DPA versions used to monitor Db2 database instances. Because of this change, the DPA monitoring user requires additional privileges to monitor a Db2 instance. In addition to SYSADM permissions, the user requires EXECUTE privileges on certain tables. To monitor Db2 instances with DPA 2023.2 and later versions, modify the monitoring user's permission on each Db2 instance.

The required permissions can be granted in Db2 10.1 and later. DPA does not support monitoring earlier versions of Db2.

1.  Run the following commands to grant the DPA monitoring user EXECUTE privileges on the required tables:
    
        grant execute on function SYSPROC.MON_GET_DATABASE to userName;
        grant execute on function SYSPROC.MON_SAMPLE_WORKLOAD_METRICS to userName;
        grant execute on function SYSPROC.MON_GET_ACTIVITY to <USER_NAME>;
        grant execute on function SYSPROC.MON_GET_BUFFERPOOL to <USER_NAME>;
        grant execute on function SYSPROC.MON_GET_TABLESPACE to <USER_NAME>;
        grant execute on function SYSPROC.MON_GET_TRANSACTION_LOG to <USER_NAME>;
    
2.  To verify that the permissions were applied correctly, run the following command:
    
        select substr(authid,1,20) as authid
            , authidtype
            , privilege
            , grantable
            , substr(objectschema,1,12) as objectschema
            , substr(objectname,1,30) as objectname
            , objecttype
        from sysibmadm.privileges
        where objectschema ='SYSPROC' AND AUTHID='<USER_NAME>';
    

**How to upgrade**

If you are upgrading from an earlier version, use the following resources to plan and implement your upgrade:

*   Use the DPA Installation and Upgrade Guide to help you plan and execute your upgrade.
*   When you are ready, download the upgrade package from the SolarWinds Customer Portal.

**Known issues**

Return to top

 

Intermittent connection issues when monitoring IBM Db2 instances

**Issue**

When DPA monitors IBM Db2 instances, DPA is sometimes unable to connect to the instances. This occurs because DPA uses SNAP* functions to collect information from Db2 instances, and these functions have been deprecated by IBM.

In 2023.2 release most of the deprecated functions have been migrated. Please upgrade to 2023.2 and refer the KB for required permissions to monitor db2 in DPA.

NOTE: Migration has not been fully done in 2023.2 release. would be released soon with next deliverables.

**Resolution or Workaround**

None.

DPA 2023.2 replaces six of the deprecated SNAP* functions used in earlier DPA versions. The remaining SNAP* functions will be replaced in an upcoming release.

Because of this change, when you upgrade to DPA 2023.2, you must update the permissions of the DPA monitoring user for each Db2 instance.

 

REST API does not work when you access DPA with SAML login credentials

**Issue**

If you access DPA with SAML login credentials and you generate a refresh token, the following message is displayed when you attempt to use that refresh token to access the REST API:

You are not authorized to perform this action. Contact your DPA administrator.

**Resolution or Workaround**

Access DPA with a local login when you generate the refresh token.

 

Importing an alert definition without the associated database assignment rule

**Issue**

In some situations, the log file shows the status of an imported alert definition as both Imported and Failed. This occurs when the alert definition uses a database assignment rule, but the rule was not imported and did not already exist on the server.

The two statuses indicate that the alert definition was imported but the attempt to associate the database assignment rule failed.

**Resolution or Workaround**

When you import an alert definition that uses a database assignment rule, either import the rule or ensure that it already exists on the server.

If you imported an alert definition and the associated rule is missing, you must edit the alert definition to specify the database instances. (You can specify instances by manually selecting them or by applying a rule.)

**End of life**

Return to top

   

Version

EoL Announcement

EoE Effective Date

EoL Effective Date

DPA 2022.2

**April 18, 2023** End-of-Life (EoL) announcement - Customers on DPA version 2022.2 or earlier should begin transitioning to the latest version of DPA.

**August 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2022.2 or earlier will no longer actively be supported by SolarWinds.

**April 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2022.2 or earlier.

DPA 2022.1

**January 18, 2023** End-of-Life (EoL) announcement - Customers on DPA version 2022.1 or earlier should begin transitioning to the latest version of DPA.

**April 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2022.1 or earlier will no longer actively be supported by SolarWinds.

**April 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2022.1 or earlier.

DPA 2021.3

**October 18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2021.3 or earlier should begin transitioning to the latest version of DPA.

**January 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2021.3 or earlier will no longer actively be supported by SolarWinds.

**January 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2021.3 or earlier.

DPA 2021.1

**October 18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2021.1 or earlier should begin transitioning to the latest version of DPA.

**January 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2021.1 or earlier will no longer actively be supported by SolarWinds.

**January 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2021.1 or earlier.

DPA 2020.2

**October 18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2020.2 or earlier should begin transitioning to the latest version of DPA.

**January 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2020.2 or earlier will no longer actively be supported by SolarWinds.

**January 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2020.2 or earlier.

See the End of Life Policy for information about SolarWinds product life cycle phases. For supported versions and EoL announcements for all SolarWinds products, see Currently supported software versions.

**Deprecation notices**

Return to top

This version of Database Performance Analyzer deprecates the following platforms and features.

Deprecated platforms and features are still supported in the current release. However, they will be unsupported in a future release. Plan on upgrading deprecated platforms, and avoid using deprecated features. 

 

Type

Details

DPA server OS

Installing DPA on a server with a **Windows Server 2012 R2** operating system is still supported in 2023.2, but support will be removed in an upcoming release.

**Legal notices**

Return to top

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2023-23837: DPA 2023.2 Release Notes

PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -> Database) to arbitrarily read any file on the operating system when using SQL function `LOAD_FILE` in a `SELECT` request. This gives the user access to critical information. A patch is available in PrestaShop 8.0.4 and PS 1.7.8.9


**Package**

composer prestashop/prestashop (Composer)

**Affected versions**

< 8.0.3

**Patched versions**

8.0.4 and 1.7.8.9

**Description**

**Impact**

It is possible for a user having access to the SQL Manager (Advanced Options -> Database) to arbitrary read any file on the Operating system when using SQL function LOAD\_FILE in a SELECT request. So It can access to critical information.

**Patches**

The patch will be on PS 8.0.4 and PS 1.7.8.9

CVE-2023-30545: Arbitrary file read

Red Hat Security Advisory 2023-1961-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: pcs security and bug fix update  
Advisory ID:       RHSA-2023:1961-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1961  
Issue date:        2023-04-25  
CVE Names:         CVE-2023-27530 CVE-2023-27539  
====================================================================  
1. Summary:

An update for pcs is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux High Availability EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Resilient Storage EUS (v.8.4) - ppc64le, s390x, x86_64

3. Description:

The pcs packages provide a command-line configuration system for the  
Pacemaker and Corosync utilities.

Security Fix(es):

* rubygem-rack: Denial of service in Multipart MIME parsing  
(CVE-2023-27530)

* rubygem-rack: denial of service in header parsing (CVE-2023-27539)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Command 'pcs config checkpoint diff' does not show configuration  
differences between checkpoints (BZ#2180703)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2176477 - CVE-2023-27530 rubygem-rack: Denial of service in Multipart MIME parsing  
2179649 - CVE-2023-27539 rubygem-rack: denial of service in header parsing  
2180703 - Command 'pcs config checkpoint diff' does not show configuration differences between checkpoints [rhel-8.4.0.z]

6. Package List:

Red Hat Enterprise Linux High Availability EUS (v.8.4):

Source:  
pcs-0.10.8-1.el8_4.4.src.rpm

aarch64:  
pcs-0.10.8-1.el8_4.4.aarch64.rpm  
pcs-snmp-0.10.8-1.el8_4.4.aarch64.rpm

ppc64le:  
pcs-0.10.8-1.el8_4.4.ppc64le.rpm  
pcs-snmp-0.10.8-1.el8_4.4.ppc64le.rpm

s390x:  
pcs-0.10.8-1.el8_4.4.s390x.rpm  
pcs-snmp-0.10.8-1.el8_4.4.s390x.rpm

x86_64:  
pcs-0.10.8-1.el8_4.4.x86_64.rpm  
pcs-snmp-0.10.8-1.el8_4.4.x86_64.rpm

Red Hat Enterprise Linux Resilient Storage EUS (v.8.4):

Source:  
pcs-0.10.8-1.el8_4.4.src.rpm

ppc64le:  
pcs-0.10.8-1.el8_4.4.ppc64le.rpm  
pcs-snmp-0.10.8-1.el8_4.4.ppc64le.rpm

s390x:  
pcs-0.10.8-1.el8_4.4.s390x.rpm  
pcs-snmp-0.10.8-1.el8_4.4.s390x.rpm

x86_64:  
pcs-0.10.8-1.el8_4.4.x86_64.rpm  
pcs-snmp-0.10.8-1.el8_4.4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-27530  
https://access.redhat.com/security/cve/CVE-2023-27539  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEe/NtzjgjWX9erEAQiymRAAh7wVvEGzqhsCs1XGuq0lSzudo1boptSw  
PXKzaJampR25ecUOMs8QDELxNUuqsBbb1aDX3Y3oBLy3XEdkJb1sMErXCD1meOVH  
wDOP2GKuMO4YjwruV6QGZlgOhCtTpsvuvHYRGS6m6qiuvfSQlqmeofVwq/eUT3Kg  
SI4Ig8aNUOg3agF8YdSRVtrJZf+BfjZjjaldWSr/bWbHz2SgjTkJ/ZHCZ4UUCcgB  
L8Mi4pq4XDxXmLwJOguhOcEWKf8Y40X4sNPceOcV2WnPtH1FoyTy3Tck6Z4/lPh1  
MYVfuWlEuX0iwKMJ+rpW1NzOWML0Uc5P7MVb3br9XLgHvTpJa1v3LEwbBGBTHyzb  
E+E0Z/EhMqKsb3KL+VczTGXgznPH4g6lby/mlRwXI5HYBAu/2JVJU/awDHE+RQlb  
Xeux9vthG2Ncztfls8NMRE2/JLMV8sxWqYSPq3lmPxw7NwISvVE0NGDyu1ijEDBL  
6Q0yj0/kFCJx584uEAVXFFIDYLBIaiBB+bZNoGbDLDt/zjKXaeM/wFEHfFyI2yNp  
S8fCc4NxbhB2fE1Uqvpanxj54N4yVoqWYPSJLWd8AIvsaug6VbwhjDgncsNZZJCB  
D7Mg9eWqy6EF4nZ5wZVMOUoDlf/rF+Pk+SjOgE2phMPEXsAbfudMbPaEck1jCtMt  
KOfyPN8GR8I=l8Fw  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1961-01

Researchers find 250 million artifacts and 65,000 container images exposed in registries and repositories scattered across the Internet.

Many organizations, including some of the world's largest companies, are at heightened risk of compromise and data theft from misconfigured and poorly secured software registries and artifact repositories, a new study has shown.

Research that cloud-security vendor Aqua Security recently conducted uncovered some 250 million software artifacts and more than 65,000 container images lying exposed and Internet-accessible in thousands of registries and repositories. Some 1,400 hosts allowed access to secrets, keys, passwords, and other sensitive data that an attacker could use to mount a supply chain attack, or to poison an enterprise software development environment.

**Wide Registry Exposure**

Aqua discovered 57 registries with critical misconfigurations, including 15 that enabled an attacker to gain admin privileges with just the default password; 2,100 artifact registries offered upload permissions, which potentially gave anonymous users a way to upload malicious code to the registry.

In all, Aqua found nearly 12,800 container image registries that were accessible over the Internet of which 2,839 permitted anonymous user access. On 1,400 hosts, Aqua researchers found at least one sensitive data element such as keys, tokens, and credentials; on 156 hosts the company found private addresses of endpoints such as MongoDB, Redis, and PostgreSQL.

Among the thousands of affected organizations were several Fortune 500 companies. One of them was IBM, which had exposed an internal container registry to the Internet and put sensitive data at risk of access. The company addressed the issue after Aqua's researchers informed it of their discovery. Other notable organizations that had potentially put their data at similar risk included Siemens, Cisco, and Alibaba. In addition, Aqua found software secrets in registries belonging to at least two cybersecurity firms exposed to the Internet. Aqua's data is based on an analysis of container images, Red Hat Quay container registries, JFrog Artifactory, and Sonatype Nexus artifact registries.

"It's critical that organizations of all sizes around the world take a moment to verify that their registries — whether public or private — are secure," advises Assaf Morag, lead threat intelligence and data analyst at Aqua Security. Organizations that have code in public registries or have connected their registries to the Internet and allow anonymous access should ensure their code and registries don't contain secrets, intellectual property, or sensitive information, he says.

"The hosts belonged to thousands of organizations around the world – ranging by industry, size, and geography," Morag notes. "That means the benefits for an attacker could also range."

**Risky Registries & Repositories**

Aqua's research is the latest to highlight the risks to businesses from data in software registries, repositories and artifact management systems. Development teams use software registries to store, manage, and distribute software, libraries, and tools and use repositories for centrally storing and maintaining specific software packages from within the registry. The function of artifact repositories is to help organizations store and manage the artifacts of a software project such as source code, binary files, documentation, and build artifacts. Artifact management systems can also include Docker images and packages from public repositories such as Maven, NPM, and NuGet.

Often, organizations using open source code in their projects — an almost ubiquitous practice at this point —connect their internal registries and artifact management systems to the Internet and allow anonymous access to certain portions of the registry. For instance, a software development team using JFrog Artifactory as an internal repository could configure external access so customers and partners can share its artifacts.

Threat actors seeking to compromise enterprise software development environments have increasingly begun targeting software registries and repositories in recent years. Some of the attacks have involved attempts by threat actors to introduce malicious code into development and build environments directly or via poisoned packages planted on NPM, PyPI, and other widely used public repositories. In other instances, threat actors have targeted these tools to gain access to the sensitive information such as credentials, passwords, and APIs stored in them.

Aqua's research showed that, in many cases, organizations are inadvertently making it easier for attackers to carry out these attacks by mistakenly connecting registries containing sensitive information to the Internet, posting secrets in public repositories, using default passwords for access control, and granting overly excessive privileges to users.

In one instance, Aqua uncovered a bank with an open registry featuring online banking applications. "An attacker could have pulled the container, then modified it and pushed it back," Morag says.

In another instance, Aqua discovered two misconfigured container registries belonging to the development and engineering team of a Fortune 100 technology company. Aqua found the registries to contain so much sensitive information and afford so much access and privileges for doing damage, that the company decided to halt its research and inform the technology company of the issue. In this case, the security snafu resulted from a development engineer opening up the environment while working on an unapproved side project.

Millions of Artifacts, Misconfigured Enterprise Software Registries Are Ripe for Pwning

The Steveas WP Live Chat Shoutbox WordPress plugin through 1.4.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

CVE-2023-1020

The Random Text WordPress plugin through 0.3.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers.

Tag

#sql