SolarWinds Security Advisory

Recent as of December 20, 2020, 9:30pm CST

SolarWinds was the victim of a cyberattack to our systems that inserted a vulnerability (SUNBURST) within our Orion^® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run. This attack was very sophisticated supply chain attack, which refers to a disruption in a standard process resulting in a compromised result with a goal of being able to attack subsequent users of the software. In this case, it appears that the code was intended to be used in a targeted way as its exploitation requires manual intervention. We’ve been advised that the nature of this attack indicates that it may have been conducted by an outside nation state, but SolarWinds has not verified the identity of the attacker.

The Cybersecurity and Infrastructure Security Agency (CISA) Computer Emergency Readiness Team (CERT), part of the Department of Homeland Security (DHS), CERT issued Emergency Directive 21-01 on December 13, 2020 regarding this issue. CERT issued Alert (AA20-352A), titled Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, as an update to ED 21-01 on December 17, 2020, based on our coordination with the agency. DHS released Supplemental Guidance to ED 21-01 on December 18, 2020, and CERT revised its Alert AA20-352A on December 19, 2020 as part of our ongoing coordination with the agency.

The latest information can be found here:

• Emergency Directive 21-01 Supplemental Guidance, published December 18, 2020: https://cyber.dhs.gov/ed/21-01/#supplemental-guidance
• CERT Alert (AA20-352A), Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, updated December 19, 2020: https://us-cert.cisa.gov/ncas/alerts/aa20-352a
• Original CISA Release on ED 21-01, published December 13, 2020: https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network
• Original Emergency Directive 21-01, published December 13, 2020: https://cyber.dhs.gov/ed/21-01/

A Frequently Asked Questions (FAQ) page is available here, and we intend to update this page as we learn more information.

First, we want to assure you we’ve removed the software builds known to be affected by SUNBURST from our download sites. 

We recommend taking the following steps related to your use of the SolarWinds Orion Platform:

SolarWinds asks customers with any of the below products listed as known affected for Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version 2020.2.1 HF 2 as soon as possible to better ensure the security of your environment. This version is currently available at customerportal.solarwinds.com. Hotfix installation instructions are available in the 2020.2.1 HF 2 Release notes here.

SolarWinds asks customers with any of the below products listed as known affected for Orion Platform v2019.4 HF 5 to update to Orion Platform 2019.4 HF 6, which is available at customerportal.solarwinds.com. Hotfix installation instructions are available in the 2019.4 HF 6 Release Notes here.

All hotfix updates are cumulative and can be installed from any earlier version. There is no need to install previously released hotfix updates.

If you are running a version prior or equal to Orion Platform version 2019.4 HF 4, we do not believe that your system was compromised with this vulnerability and therefore are not recommending that any action is required to protect against this vulnerability. 

You may need to synchronize your license prior to applying the hotfix. Please follow the steps here to kick off the synchronization of your license.

If you have disabled outward communication from your Orion license, please follow the "Activate License Offline" section from here. 

Once you have successfully synched your license, please run the installer to install the hotfix.

Additionally, we want you to know that, while our investigations are early and ongoing, based on our investigations to date, we are not aware that this inserted vulnerability affects other versions of Orion Platform products. Also, while we are still investigating our non-Orion products, we have not seen any evidence that they are impacted by SUNBURST.

If you aren't sure which version of the Orion Platform you are using, see directions on how to check that here. To check which hotfix updates you have applied, please go here.

If you cannot upgrade immediately, please follow the guidelines available here for your Orion Platform instance. The primary mitigation steps include having your Orion Platform installed behind firewalls, disabling internet access for the Orion Platform, and limiting the ports and connections to only what is required to operate your platform. Security and trust in our software is the foundation of our commitment to our customers. We strive to implement and maintain appropriate administrative, physical, and technical safeguards, security processes, procedures, and standards designed to protect our customers. 

Known affected products: Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, or with 2020.2 HF 1, including:

*NOTE: Please note DPAIM is an integration module and is not the same as Database Performance Analyzer (DPA), which we do not believe is affected.

SolarWinds products NOT KNOWN TO BE AFFECTED by this security vulnerability:

We have also found no evidence that any of our free tools, Orion agents, or Web Performance Monitor (WPM) Players are impacted by SUNBURST.

Our investigations and remediation efforts for these matters are early and ongoing. Thank you for your continued patience and partnership as we work through this situation. We are making regular updates to our Security Advisory page at solarwinds.com/securityadvisory and our FAQ page solarwinds.com/securityadvisory/faq. We encourage you to refer to these pages. If you have any questions regarding these issues, we are here to help, so please don’t hesitate to contact Customer Support at 1-866-530-8040 or swisupport@solarwinds.com.