CVE-2021-35216: 
SolarWinds Patch Manager Agent vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2021-35216) was discovered in the SolarWinds Patch Manager Orion Platform Integration module. The vulnerability stems from insecure deserialization of untrusted data and affects Patch Manager versions 2020.2.5 and earlier. The vulnerability was discovered and reported by security researcher Jangggggg working with Trend Micro's Zero Day Initiative (ZDI Advisory, SolarWinds Advisory).

The vulnerability exists within the EditResourceControls endpoint of the Patch Manager application. The issue results from the lack of proper validation of user-supplied data, which can lead to deserialization of untrusted data. The vulnerability has received a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H according to NVD, while SolarWinds assigned it a score of 8.9 (High) with vector string CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L (NVD, ZDI Advisory).

If successfully exploited, this vulnerability allows an authenticated attacker with network access via HTTP to execute arbitrary code in the context of NETWORK SERVICE on the affected system. The vulnerability can lead to complete system compromise, potentially affecting the confidentiality, integrity, and availability of the system (ZDI Advisory).

SolarWinds has released version 2020.2.6 of Patch Manager to address this vulnerability. Users are advised to upgrade to this version to mitigate the risk (SolarWinds Advisory).