As announced by SolarWinds President and CEO Sudhakar Ramakrishna in his Orange Matter blog, Our Plan for a Safer SolarWinds and Customer Community, we're taking key steps to ensure the security and integrity of the software that we deliver to customers. SolarWinds uses a digital code-signing certificate to digitally sign each software build, and to help end users authenticate the code comes from us. As part of our response to the SUNBURST vulnerability, the code-signing certificate used by SolarWinds to sign the affected software versions will be revoked on March 8, 2021. This is industry-standard best practice for software that has been compromised.
Regretfully, the same digital code-signing certificate used to sign our Orion Platform software affected by the SUNBURST vulnerability was also used to sign additional SolarWinds products not known to be affected by SUNBURST. While this does not mean all products are compromised, it does mean the day-to-day operation of any software signed by the compromised digital code-signing certificate may be impacted by a user’s operating system, antivirus, or endpoint protection software when the certificate is publicly revoked on March 8, 2021.
The full list of products is available in the table below.
We’ve obtained new digital code-signing certificates and have rebuilt the affected versions, have re-signed our code and have re-released all of the products previously signed with the certificate to be revoked. To ensure the performance of your SolarWinds product(s), you must upgrade to these new builds before March 8, 2021.
FREQUENTLY ASKED QUESTIONS (FAQ)
- Why are some digital code-signing certificates being revoked?
- What do I need to do?
- Where can I find a list of affected products?
- The deadline to update my software is March 8, 2021. Can I update early?
- What will happen on March 8, 2021 once the affected digital code-signing certificates are revoked?
- How can I find out what version of Orion Platform products I’m running?
- Should I manually revoke the certificate if it’s found on my system before March 8, 2021?
- Can I just replace the revoked code-signing certificate with the new one and keep my software running?
- I’m getting alerts from my antivirus and/or endpoint protection software that affected SolarWinds software has a low reputation score, or that it’s untrusted. What does that mean?
- Why do I need to reinstall or update software that wasn’t a part of the SUNBURST incident?
- What about SolarWinds software either fully certified or in the process of being certified against Common Criteria?
- What if I’m out of maintenance?