SolarWinds has released patches for two vulnerabilities affecting their Access Rights Manager (ARM) software, that have the potential to compromise the security of networks utilizing ARM, with impacts ranging from unauthorized access to remote code execution.
Deserialization of Untrusted Data Remote Code Execution
The first vulnerability tracked as CVE-2024-28991 with a CVSS score of CVSS 9.0, allows for remote code execution. An authenticated attacker could exploit this flaw to execute malicious code on the targeted system, potentially leading to complete control over the ARM application and access to sensitive data.
Hardcoded Credentials Authentication Bypass
The second vulnerability, tracked as CVE-2024-28990 with a CVSS score of 6.3, is a hardcoded credential authentication bypass flaw that attackers could potentially gain unauthorized access to the RabbitMQ management console, a key component of the ARM system.
SolarWinds strongly urges all users to update their ARM installations to version 2024.3.1 immediately to addresses both flaws and mitigates the associated risks.
