SolarWinds urges customers to patch critical Web Help Desk flaw
SolarWinds has issued a warning to customers after the discovery of a critical vulnerability in the firm’s Web Help Desk solution.
The vulnerability, tracked as CVE-2024-28986, is a Java deserialization vulnerability that could be exploited to achieve remote code execution, the company confirmed in an advisory last week.
“SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine,” the company said.
SolarWinds’ IT help desk software is used by a host of organizations globally, including private enterprises, government departments, and healthcare firms to automate help desk management processes.
SolarWinds confirmed a hotfix has been made available for users, and applies to Web Help Desk 12.8.3. This will require admins to manually add and modify specific files for the patch to work.
As part of this, the firm recommends admins create backup copies of original files before replacing them. This will ensure a smoother process in the event that the hotfix was not applied correctly.
Recommendations included in the SolarWinds advisory include:
- “If your WHD deployment on a public-facing server, install WHD 12.8.3 Hotfix 1.”
- “If your WHD deployment is NOT on a public-facing server, you can wait until SolarWinds releases a new hotfix.”
No other SolarWinds products or solutions are affected by the flaw.
SolarWinds users urged to patch out of an ‘abundance of caution’
In its advisory, SolarWinds confirmed the vulnerability could be exploited, but noted it has been unable to reproduce the flaw without authentication after “thorough testing”.
Despite this, the firm insisted users should apply the patch immediately. The flaw was given a critical severity score of 9.8, SolarWinds revealed, marking it as ‘critical’.
“Out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available,” the company said in its advisory.