关键漏洞信息 SolarWinds CVEs CVE-2023-2697: SolarWinds Observability Self-Hosted is susceptible to the Deserialization of Untrusted Data via Privilege Escalation Vulnerability. This vulnerability requires authentication and results in a low-severity local access to the host server. Third-party CVEs CVE-2024-1798: OpenSSL - Clients using RFC-7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because error messages don't abort as TLS 1.2 and TLS 1.3 connections using raw public keys may be vulnerable to man-in-the-middle attacks when TLS clients and servers are configured to use RPKs. These attacks are disabled by default in both TLS clients and TLS servers. The issue only occurs when TLS clients explicitly enable RPK use by the server, and the server (Rowswise, Inc.) does not disable it. In this case, TLS clients see errors that then rely on the handshake to fail when the server's RPK fails public key verification. However, some TLS clients do not check for these errors. Such clients see errors that then rely on the handshake to fail when the server's RPK fails public key verification. OpenSSL versions affected: 3.0.0 through 3.0.8. CVE-2024-9142: OpenSSL - Memory Out-of-Bounds Vulnerability. Use of the low-level OSSL_PARAM object curve-COFFs with non-canonical applied values for the field polynomial can lead to out-of-bounds memory reads or writes. Impacts: Curve Cryptography that we're aware of, either "named curves" are pre-picked, or "explicit parameters" are provided. OpenSSL versions affected: 3.0.0 through 3.0.8. CVE-2024-13736: OpenSSL - Timing Side-Channel Vulnerability. A timing side-channel which could potentially allow discovering the private key secret in the ECDSA signature computation, impact summary: A timing side-channel in the signing application or a very fast network connection with low latency. OpenSSL versions affected: 3.0.0 through 3.0.8. ``` 这些信息表明SolarWinds Platform 2025.2.1版本修复了多个安全漏洞,包括SolarWinds自身的CVE和第三方库(如OpenSSL)的CVE。