SolarWinds was the victim of a cyberattack to our systems that inserted a vulnerability (SUNBURST) within our Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run. This attack was very sophisticated supply chain attack, which refers to a disruption in a standard process resulting in a compromised result with a goal of being able to attack subsequent users of the software. In this case, it appears that the code was intended to be used in a targeted way as its exploitation requires manual intervention. We’ve been advised that the nature of this attack indicates that it may have been conducted by an outside nation state, but SolarWinds has not verified the identity of the attacker.
The Cybersecurity and Infrastructure Security Agency (CISA) Computer Emergency Readiness Team (CERT) issued Emergency Directive 21-01 regarding the SUNBURST vulnerability on December 13, 2020. CERT issued Alert (AA20-352A), titled Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, as an update to ED 21-01 on December 17, 2020, based on our coordination with the agency.
A Frequently Asked Questions (FAQ) page is available here, and we intend to update this page as we learn more information.
First, we want to assure you we’ve removed the software builds known to be affected by SUNBURST from our download sites.
We recommend taking the following steps related to your use of the SolarWinds Orion Platform:
SolarWinds asks customers with any of the below products listed as known affected for Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version 2020.2.1 HF 2 as soon as possible to better ensure the security of your environment. This version is currently available at customerportal.solarwinds.com. Hotfix installation instructions are available in the 2020.2.1 HF 2 Release notes here.
SolarWinds asks customers with any of the below products listed as known affected for Orion Platform v2019.4 HF 5 to update to Orion Platform 2019.4 HF 6, which is available at customerportal.solarwinds.com. Hotfix installation instructions are available in the 2019.4 HF 6 Release Notes here.
All hotfix updates are cumulative and can be installed from any earlier version. There is no need to install previously released hotfix updates.
If you are running a version prior or equal to Orion Platform version 2019.4 HF 4, we do not believe that your system was compromised with this vulnerability and therefore are not recommending that any action is required to protect against this vulnerability.
You may need to synchronize your license prior to applying the hotfix. Please follow the steps here to kick off the synchronization of your license.
If you have disabled outward communication from your Orion license, please follow the "Activate License Offline" section from here.
Once you have successfully synched your license, please run the installer to install the hotfix.
Additionally, we want you to know that, while our investigations are early and ongoing, based on our investigations to date, we are not aware that this inserted vulnerability affects other versions of Orion Platform products. Also, while we are still investigating our non-Orion products, we have not seen any evidence that they are impacted by SUNBURST.
If you aren't sure which version of the Orion Platform you are using, see directions on how to check that here. To check which hotfix updates you have applied, please go here.
If you cannot upgrade immediately, please follow the guidelines available here for your Orion Platform instance. The primary mitigation steps include having your Orion Platform installed behind firewalls, disabling internet access for the Orion Platform, and limiting the ports and connections to only what is required to operate your platform. Security and trust in our software is the foundation of our commitment to our customers. We strive to implement and maintain appropriate administrative, physical, and technical safeguards, security processes, procedures, and standards designed to protect our customers.
Known affected products: Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, or with 2020.2 HF 1, including:
Application Centric Monitor (ACM)
Database Performance Analyzer
Integration Module* (DPAIM*)
Enterprise Operations Console (EOC)
High Availability (HA)
IP Address Manager (IPAM)
Log Analyzer (LA)
Network Automation Manager (NAM)
Network Configuration Manager (NCM)
Network Operations Manager (NOM)
User Device Tracker (UDT)
Network Performance Monitor (NPM)
NetFlow Traffic Analyzer (NTA)
Server & Application Monitor (SAM)
Server Configuration Monitor (SCM)
Storage Resource Monitor (SRM)
Virtualization Manager (VMAN)
VoIP & Network Quality Manager (VNQM)
Web Performance Monitor (WPM)
*NOTE: Please note DPAIM is an integration module and is not the same as Database Performance Analyzer (DPA), which we do not believe is affected.
SolarWinds products NOT KNOWN TO BE AFFECTED by this security vulnerability:
Access Rights Manager (ARM)
Dameware Mini Remote Control
Dameware Patch Manager
Dameware Remote Everywhere
Dameware Remote Manager
Database Performance Analyzer (DPA)
Database Performance Monitor (DPM)
Engineer's Web Toolset
Firewall Security Monitor
Kiwi Log Viewer
Kiwi Syslog Server
Log & Event Manager (LEM)
Log and Event Manager Workstation Edition
Network Topology Mapper (NTM)
Pingdom Server Monitor
Security Event Manager (SEM)
Security Event Manager Workstation Edition
Serv-U FTP Server
Serv-U MFT Server
Web Help Desk
SQL Sentry Essentials
SolarWinds MSP Products:
N-central – Probe
N-central – Topology
N-central – NetPath
NetPath – Server
Backup Disaster Recovery
SolarWinds Security Advisory page at solarwinds.com/securityadvisory.
Security Advisory FAQ Link
Watch this video to hear more from SolarWinds President and CEO, Kevin B. Thompson.