SolarWinds takes security seriously, and in addition to performing exhaustive internal security testing, we do our best to respond swiftly to any reported issue. With the recent heartburn around Heartbleed, the development teams at SolarWinds have been working feverishly to determine if any of our products are affected. For those out there that may have missed the news, a few days ago a high-severity vulnerability in many versions of OpenSSL was made public- and dubbed "Heartbleed." If you have a system serving up SSL content, you may well be impacted. Since the details have been covered ad-nauseam by a variety of sources, we won't go into the nitty-gritty, but good primary source material may be found here: http://heartbleed.com/
While we do ship an OpenSSL library in our core platform that would be affected, it is not exposed as a service and is used in a limited outbound capacity. Because of this reason and our failure to locate any vulnerabilities during the course of our research we believe our products are not vulnerable to Heartbleed. Despite having zero known exposure to the vulnerability, we have released an OpenSSL library fix for Core to further put everyone's mind at ease: http://downloads.solarwinds.com/solarwinds/Release/HotFix/OpenSSL-Heartbleed-HotFix.zip [Revised 4/14/14 9:45am CST]
As everyone here hopefully is aware, we take community transparency quite seriously. In that spirit, please find below matrix:
| Product | Version | Status | Disposition |
|---|---|---|---|
| Alert Central | OK | ||
| DameWare | OK | ||
| DPA (formerly Confio Ignite) | OK | ||
| EOC | OK | ||
| FSM | OK | ||
| FTP Voyager | OK | ||
| IPAM | >Core 2012.1 | OK | Orion Core >2012.1 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.1 and earlier do not contain affected OpenSSL library. |
| ipMonitor | OK | ||
| Kiwi CatTools | OK | ||
| Kiwi Syslog | OK | ||
| LEM | OK | ||
| Mobile Admin Server | OK | ||
| n-Central | OK | ||
| NCM | >Core 2012.1 | OK | Orion Core >2012.1 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.1 and earlier do not contain affected OpenSSL library. |
| NPM | >Core 2012.1 | OK | Orion Core >2012.1 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.1 and earlier do not contain affected OpenSSL library. |
| NTA | >Core 2012.1 | OK | Orion Core >2012.1 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.1 and earlier do not contain affected OpenSSL library. |
| NTM | OK | ||
| Patch Manager | OK | ||
| SAM | >Core 2012.1 | OK | Orion Core >2012.1 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.1 and earlier do not contain affected OpenSSL library. |
| Serv-U | OK | ||
| SFTP/SCP Server Free tool | 1.0.3.20 - 1.0.4.31 | OK | SFTP/SCP Server 1.0.3.20 - 1.0.4.31 does contain OpenSSL 1.0.1e library, however only for internal encryption. No external SSL service is referenced, therefore not vulnerable. |
| Free SSH Client | OK | ||
| Storage Manager | OK | ||
| TFTP Server Free tool | OK | ||
| Engineer's Toolset | 10.9.1 - 11.0.0 | OK | SFTP/SCP Server in Toolset 10.9.1 - 11.0.0 does contain OpenSSL 1.0.1e library, however only for internal encryption. No external SSL service is referenced, therefore not vulnerable. |
| UDT | >Core 2012.1 | OK | Orion Core >2012.1 does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.1 and earlier do not contain affected OpenSSL library. |
| Virtualization Manager | OK | ||
| VNQM | >Core 2012.1 | OK | Orion Core does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.1 and earlier do not contain affected OpenSSL library. |
| WebHelpDesk | OK | ||
| WPM | >Core 2012.1 | OK | Orion Core does contain OpenSSL 1.0.1e library, but is only used for outbound SNMPv3 AES communication. It is not able to be referenced by outside process or communication, therefore not vulnerable. Core 2012.1 and earlier do not contain affected OpenSSL library. |
As always, please let us know if you have any questions or concerns, and we will address them straight away.