This page covers the SolarWinds response to both SUNBURST and SUPERNOVA. For information about SUNBURST, go here. For information about SUPERNOVA, go here.

 
ABOUT SUNBURST

 

SolarWinds was the victim of a cyberattack to our systems that inserted a vulnerability (SUNBURST) within our Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products runThis attack was a very sophisticated supply chain attack, which refers to a disruption in a standard process resulting in a compromised result with a goal of being able to attack subsequent users of the software. In this case, it appears that the code was intended to be used in a targeted way as its exploitation requires manual intervention. We’ve been advised that the nature of this attack indicates that it may have been conducted by an outside nation state, but SolarWinds has not verified the identity of the attacker.

The Cybersecurity and Infrastructure Security Agency (CISA) Computer Emergency Readiness Team (CERT), part of the Department of Homeland Security (DHS), CERT issued Emergency Directive 21-01 on December 13, 2020 regarding this issue, and has updated their guidance as part of our ongoing coordination with the agency. The latest information can be found on CISA’s Supply Chain Compromise page and continues to be updated as we learn more.

A detailed Frequently Asked Questions (FAQ) page is available here, and we intend to update this page as we learn more information.

We want to assure you we’ve removed the software builds known to be affected by the SUNBURST vulnerability from our download sites. 

Additionally, we want you to know that, while our investigations are early and ongoing, based on our investigations to date, we are not aware that this SUNBURST vulnerability affects other versions of Orion Platform products. Also, while we are still investigating our non-Orion products, we have not seen any evidence that they are impacted by the SUNBURST vulnerability.

If you aren't sure which version of the Orion Platform you are using, see directions on how to check that here. To check which hotfix updates you have applied, please go here.

 

Known affected products: Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, or with 2020.2 HF 1, including:

Application Centric Monitor (ACM)

Database Performance Analyzer
Integration Module* (DPAIM*)

Enterprise Operations Console (EOC)

High Availability (HA)

IP Address Manager (IPAM)

Log Analyzer (LA)

Network Automation Manager (NAM)

Network Configuration Manager (NCM)

Network Operations Manager (NOM)

User Device Tracker (UDT)

Network Performance Monitor (NPM)

NetFlow Traffic Analyzer (NTA)

Server & Application Monitor (SAM)

Server Configuration Monitor (SCM)

Storage Resource Monitor (SRM)

Virtualization Manager (VMAN)

VoIP & Network Quality Manager (VNQM)

Web Performance Monitor (WPM)

*NOTE: Please note DPAIM is an integration module and is not the same as Database Performance Analyzer (DPA), which we do not believe is affected.

 

SolarWinds products NOT KNOWN TO BE AFFECTED by this security vulnerability:

8Man

Access Rights Manager (ARM)

AppOptics

Backup Document            

Backup Profiler

Backup Server    

Backup Workstation        

CatTools

Dameware Mini Remote Control

Dameware Patch Manager           

Dameware Remote Everywhere

Dameware Remote Manager        

Database Performance Analyzer (DPA)

Database Performance Monitor (DPM)

DNSstuff             

Engineer’s Toolset 

Engineer's Web Toolset

FailOver Engine

Firewall Security Monitor       

Identity Monitor               

ipMonitor            

Kiwi CatTools

Kiwi Log Viewer

Kiwi Syslog Server

LANSurveyor

Librato

Log & Event Manager (LEM)

Log and Event Manager Workstation Edition 

Loggly

Mobile Admin

Network Topology Mapper (NTM)

Papertrail

Patch Manager  

Pingdom

Pingdom Server Monitor

Security Event Manager (SEM)

Security Event Manager Workstation Edition

Server Profiler

Service Desk

Serv-U FTP Server

Serv-U Gateway

Serv-U MFT Server

Storage Manager

Storage Profiler

Threat Monitor 

Virtualization Profiler

Web Help Desk    

SQL Sentry 

DB Sentry

V Sentry

Win Sentry

BI Sentry 

SentryOne Document 

SentryOne Test

Task Factory

DBA xPress

Plan Explorer

APS Sentry

DW Sentry

SQL Sentry Essentials

SentryOne Monitor

BI xPress

 

 

SolarWinds MSP Products:

N-central – Probe

N-central – Topology

N-central – NetPath

N-central

NetPath – Server

RMM

Backup Disaster Recovery

M365 Backup

Backup

Mail Assure

SpamExperts

MSP Manager

PassPortal

Take Control

Patch

Automation Manager

Webprotection

 

We have also found no evidence that any of our free tools, Orion agents, or Web Performance Monitor (WPM) Players are impacted by SUNBURST.

 

 
 
ABOUT SUPERNOVA

 

Over the last few days, third parties and the media publicly reported on a malware, now referred to as SUPERNOVA. Based on our investigation, this malware could be deployed through an exploitation of a vulnerability in the Orion Platform. Like other software companies, we seek to responsibly disclose vulnerabilities in our products to our customers while also mitigating the risk that bad actors seek to exploit those vulnerabilities by releasing updates to our products that remediate these vulnerabilities before we disclose them.

The SUPERNOVA malware consisted of two components. The first was a malicious, unsigned webshell .dll “app_web_logoimagehandler.ashx.b6031896.dll” specifically written to be used on the SolarWinds Orion Platform. The second is the utilization of a vulnerability in the Orion Platform to enable deployment of the malicious code. The vulnerability in the Orion Platform has been resolved in the latest updates.

 

We constantly work to enhance the security of our products and to protect our customers and ourselves because hackers and other cybercriminals are always seeking news ways to find and attack their victims. We work closely with our customers to address and remediate any potential concerns, and we encourage all customers to run only supported versions of our products and to upgrade to the latest versions to the get the full benefit of our updates, improvements, and enhancements.

 

RECOMMENDED ACTIONS

 

 
If you have already upgraded to Orion Platform versions 2019.4 HF 6 or 2020.2.1 HF 2, you are protected from both the SUNBURST vulnerability and the SUPERNOVA malware.

 

We recommend that all active maintenance customers of Orion Platform products, except those customers already on Orion Platform versions 2019.4 HF 6 or 2020.2.1 HF 2, apply the latest updates related to the version of the product they have deployed, as soon as possible. Please visit the Security Advisory page for instructions for and access to these updates.

 

These updates include versions:

  • 2019.4 HF 6 (released December 14, 2020)
  • 2020.2.1 HF 2 (released December 15, 2020)
  • 2019.2 SUPERNOVA Patch (released December 23, 2020)
  • 2018.4 SUPERNOVA Patch (released December 23, 2020)
  • 2018.2 SUPERNOVA Patch (released December 23, 2020)

 

 
SolarWinds recommends that all Orion Platform customers upgrade their Orion Platform software to help ensure the security of their environment. 

 

  • If you have already upgraded to 2020.2.1 HF 2 or 2019.4 HF 6, both the SUNBURST and SUPERNOVA vulnerabilities have been addressed and no further action is required at this time.
  • If you have not already upgraded to 2020.2.1 HF 2 or 2019.4 HF 6, follow the guidance identified for your current version of the Orion Platform below to help ensure the security of your environment.

First, identify the version of the Orion Platform software you are using by reviewing the directions on how to check that here or refer to the image below. To check which updates you have applied, please go here.

 

From Orion Web Console 

 

All product versions are displayed in the footer of the Orion Web Console login page. See the example below of 2019.4 HF 4:
 

 

Second, we recommend taking the steps related to your use of your version of the SolarWinds Orion Platform per the table below:

 

Orion Platform Version

Known Affected by SUNBURST?

Known Vulnerable to SUPERNOVA?

Recommended Action

Direct Link

Orion Platform 2020.2.1 HF 2

NO

NO

No action needed

No action needed

Orion Platform 2020.2.1 HF 1

NO

YES

Upgrade to 2020.2.1 HF 2

customerportal.solarwinds.com

Orion Platform 2020.2.1

NO

YES

Upgrade to 2020.2.1 HF 2

customerportal.solarwinds.com

Orion Platform 2020.2 HF 1

YES

YES

Upgrade to 2020.2.1 HF 2

customerportal.solarwinds.com

Orion Platform 2020.2

YES

YES

Upgrade to 2020.2.1 HF 2

customerportal.solarwinds.com

Orion Platform 2019.4 HF 6

NO

NO

No action needed

No action needed

Orion Platform 2019.4 HF 5

YES

YES

Upgrade to 2019.4 HF 6
(or upgrade to 2020.2.1 HF 2)

customerportal.solarwinds.com

Orion Platform 2019.4 HF 4

NO

YES

Upgrade to 2019.4 HF 6
(or upgrade to 2020.2.1 HF 2)

customerportal.solarwinds.com

Orion Platform 2019.4 HF 3

NO

YES

Upgrade to 2019.4 HF 6
(or upgrade to 2020.2.1 HF 2)

customerportal.solarwinds.com

Orion Platform 2019.4 HF 2

NO

YES

Upgrade to 2019.4 HF 6
(or upgrade to 2020.2.1 HF 2)

customerportal.solarwinds.com

Orion Platform 2019.4 HF 1

NO

YES

Upgrade to 2019.4 HF 6
(or upgrade to 2020.2.1 HF 2)

customerportal.solarwinds.com

Orion Platform 2019.4

NO*

YES

Upgrade to 2019.4 HF 6
(or upgrade to 2020.2.1 HF 2)

customerportal.solarwinds.com

Orion Platform 2019.2 HF 3

NO

YES

Upgrade to 2020.2.1 HF 2
(or apply 2019.2 HF 3 Security Patch)

To upgrade, go to customerportal.solarwinds.com

Or, to apply security patch go to: 
https://downloads.solarwinds.com/solarwinds/Release/HotFix/2019.2_HF3_SecurityFix.zip

Orion Platform 2019.2 HF 2

NO

YES

Upgrade to 2020.2.1 HF 2
(or upgrade to 2019.2 HF 3 AND apply 2019.2 HF 3 Security Patch)

To upgrade, go to customerportal.solarwinds.com

Or, to apply security patch go to: 
https://downloads.solarwinds.com/solarwinds/Release/HotFix/2019.2_HF3_SecurityFix.zip

Orion Platform 2019.2 HF 1

NO

YES

Upgrade to 2020.2.1 HF 2
(or upgrade to 2019.2 HF 3 AND apply 2019.2 HF 3 Security Patch)

To upgrade, go to customerportal.solarwinds.com

Or, to apply security patch go to: 
https://downloads.solarwinds.com/solarwinds/Release/HotFix/2019.2_HF3_SecurityFix.zip

Orion Platform 2019.2

NO

YES

Upgrade to 2020.2.1 HF 2
(or upgrade to 2019.2 HF 3 AND apply 2019.2 HF 3 Security Patch)

To upgrade, go to customerportal.solarwinds.com

Or, to apply security patch go to: 
https://downloads.solarwinds.com/solarwinds/Release/HotFix/2019.2_HF3_SecurityFix.zip

Orion Platform 2018.4

NO

YES

Upgrade to 2020.2.1 HF2 (or ensure you are running 2018.4 HF3 AND apply the 2018.4 HF3 Security Patch)

To upgrade, go to customerportal.solarwinds.com

Or, to apply security patch go to:
 https://downloads.solarwinds.com/solarwinds/Release/HotFix/2018.4_HF3_SecurityFix.zip

Orion Platform 2018.2

NO

YES

Upgrade to 2020.2.1 HF2 (or ensure you are running 2018.2 HF6 AND apply the 2018.2 HF6 Security Patch)

To upgrade, go to customerportal.solarwinds.com

Or, to apply security patch go to: 
https://downloads.solarwinds.com/solarwinds/Release/HotFix/2018.2_HF6_SecurityFix.zip

All prior versions

NO

YES

Discontinue use
(or upgrade to 2020.2.1 HF 2)

customerportal.solarwinds.com

 

All recommended upgrade versions are currently available acustomerportal.solarwinds.com

All hotfix updates are cumulative and can be installed from any earlier version. There is no need to install previously released hotfix updates. You may need to synchronize your license prior to applying the hotfix. Please follow the steps here to kick off the synchronization of your license. 

*If you have disabled outward communication from your Orion license, please follow the “Activate License Offline” section from here. Once you have successfully synched your license, please run the installer to install the hotfix.

 

If you’re unable to upgrade at this time, we have provided a script that customers can install to temporarily protect their environment against the SUPERNOVA malware. The script is available at https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip.

 

If you cannot upgrade immediately, please follow the guidelines available here for your Orion Platform instance. The primary mitigation steps include having your Orion Platform installed behind firewalls, disabling internet access for the Orion Platform, and limiting the ports and connections to only what is required to operate your platform. 

WHAT ARE WE DOING TO HELP?

Our focus has been on helping our customers protect the security of their environments. Our commitment to our customers remains high, and we are introducing a new program designed to address the issues that our customers face.

We have developed a program to provide professional consulting resources experienced with the Orion Platform and products to assist customers who need guidance on or support upgrading to the latest hotfix updates. These consulting services will be provided at no charge to our active maintenance Orion Platform product customers. We want to make sure that customers working to secure their environments have the help and assistance they need from knowledgeable resources.

We intend to provide more information and details regarding this program next week on the Security Advisory page.

We continue to work with leading security experts in our investigations to help further secure our products and internal systems.