|
Description
|
|
Brandon Perry has reported multiple vulnerabilities in multiple SolarWinds products, which can be exploited by malicious users to conduct SQL injection attacks.
Input passed via the "sort" and "dir" parameters to GetAccounts and GetAccountGroups is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The vulnerabilities are reported in the following products and versions:
* Network Performance Monitor versions prior to 11.5.
* IP Address Manager versions prior to 4.3.
* Server & Application Monitor versions prior to 6.2.
* Network Configuration Manager versions prior to 7.3.2.
|
|
|
|
|
|
Vulnerable Products
|
|
Vulnerable Software:
SolarWinds IP Address Manager (IPAM) 4.xSolarWinds Network Configuration Manager 7.xSolarWinds Network Performance Monitor 11.xSolarWinds Server & Application Monitor 6.x
|
|
|
|
|
|
Solution
|
|
Update to a fixed version.Network Performance Monitor:Update to version 11.5.IP Address Manager:Update to version 4.3.Server & Application Monitor:Update to version 6.2.Network Configuration Manager:Update to version 7.3.2.
|
|
|
|
|
|
CVE
|
|
CVE-2014-9566
|
|
|
|
|
|
References
|
|
Brandon Perry:
http://seclists.org/fulldisclosure/2015/Mar/18
|
|
|
|
|
|
Vulnerability Manager Detection
|
|
No
|
|
|
|
|
|
IPS Protection
|
|
|
|
|
|
|
