SB2022101946 - Multiple vulnerabilities in SolarWinds Orion Platform
Published: October 19, 2022 Updated: March 29, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Authorization bypass through user-controlled key (CVE-ID: CVE-2022-36966)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to missing permission checks. A remote user with Node Management rights can view and edit all nodes due to Insufficient control on URL parameter.
2) Deserialization of Untrusted Data (CVE-ID: CVE-2022-36957)
CWE-ID: CWE-502 - Deserialization of Untrusted Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data within the Web Console. A remote privileged user (admin-level permissions required) can pass specially crafted data to the application and execute arbitrary code on the target system.
3) Deserialization of Untrusted Data (CVE-ID: CVE-2022-38108)
CWE-ID: CWE-502 - Deserialization of Untrusted Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data within the web console. A remote privileged user can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Deserialization of Untrusted Data (CVE-ID: CVE-2022-36958)
CWE-ID: CWE-502 - Deserialization of Untrusted Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data within the web console. A remote user can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.
References
- https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36966
- https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36957
- https://www.zerodayinitiative.com/advisories/ZDI-22-1460/
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38108
- https://www.zerodayinitiative.com/advisories/ZDI-22-1461/
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-36958
- https://www.zerodayinitiative.com/advisories/ZDI-22-1459/