CVE-2014-9566

Name of the Vulnerable Software and Affected Versions Solarwinds Orion Platform version 2015.1 Network Performance Monitor (NPM) versions prior to 11.5 NetFlow Traffic Analyzer (NTA) versions prior to 4.1 Network Configuration Manager (NCM) versions prior to 7.3.2 IP Address Manager (IPAM) versions prior to 4.3 User Device Tracker (UDT) versions prior to 3.2 VoIP & Network Quality Manager (VNQM) versions prior to 4.2 Server & Application Manager (SAM) versions prior to 6.2 Web Performance Monitor (WPM) versions prior to 2.2

Description The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved via the dir or sort parameter to the "GetAccounts" or "GetAccountGroups" endpoint.

Recommendations For Solarwinds Orion Platform version 2015.1, update to a version later than 2015.1. For Network Performance Monitor (NPM) versions prior to 11.5, update to version 11.5 or later. For NetFlow Traffic Analyzer (NTA) versions prior to 4.1, update to version 4.1 or later. For Network Configuration Manager (NCM) versions prior to 7.3.2, update to version 7.3.2 or later. For IP Address Manager (IPAM) versions prior to 4.3, update to version 4.3 or later. For User Device Tracker (UDT) versions prior to 3.2, update to version 3.2 or later. For VoIP & Network Quality Manager (VNQM) versions prior to 4.2, update to version 4.2 or later. For Server & Application Manager (SAM) versions prior to 6.2, update to version 6.2 or later. For Web Performance Monitor (WPM) versions prior to 2.2, update to version 2.2 or later. As a temporary workaround, consider restricting access to the "GetAccounts" and "GetAccountGroups" endpoints until a patch is available. Avoid using the dir and sort parameters in these endpoints until the issue is resolved.