Security News > 2021 > March > SolarWinds patches critical code execution bug in Orion Platform
SolarWinds has released security updates to address four vulnerabilities impacting the company's Orion IT monitoring platform, two of them allowing attackers to execute arbitrary code remotely.
The highest severity security flaw patched by SolarWinds on Thursday is a critical JSON deserialization bug that remote attackers can exploit to execute arbitrary code through Orion Platform Action Manager's test alert actions.
A second RCE vulnerability rated as high severity that attackers could use to execute arbitrary code remotely as an Administrator was addressed in the SolarWinds Orion Job Scheduler.
"If you are upgrading from Orion Platform 2015.1.3 or later, use the SolarWinds Orion Installer to simultaneously upgrade your entire Orion deployment to the current versions," SolarWinds explained.
Admins upgrading from an Orion Platform 2019.2 installation don't need to download the Orion Installer first.
SolarWinds patch three other critical vulnerabilities last month, one of them allowing remote unauthenticated threat actors to take over Orion servers.
News URL
Related news
- SolarWinds fixes critical RCE bug affecting all Web Help Desk versions (source)
- Critical RCE bug in SolarWinds Web Help Desk fixed (CVE-2024-28986) (source)
- SolarWinds Releases Patch for Critical Flaw in Web Help Desk Software (source)
- CISA warns critical SolarWinds RCE bug is exploited in attacks (source)
- SolarWinds left critical hardcoded credentials in its Web Help Desk product (source)
- Another critical SolarWinds Web Help Desk bug fixed (CVE-2024-28987) (source)
- Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution (source)
- Apache fixes critical OFBiz remote code execution vulnerability (source)
- SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks (source)
- Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution (source)