CVE-2021-35218: 
SolarWinds Platform vulnerability analysis and mitigation

CVE-2021-35218 is a deserialization of untrusted data vulnerability in the Web Console Chart Endpoint of SolarWinds Patch Manager that can lead to remote code execution. The vulnerability was discovered by researcher Jangggggg working with Trend Micro Zero Day Initiative and was disclosed on July 15, 2021. This vulnerability affects SolarWinds Patch Manager versions 2020.2.5 and earlier (SolarWinds Advisory).

The vulnerability exists within the Chart endpoint of SolarWinds Patch Manager and results from the lack of proper validation of user-supplied data, which can lead to deserialization of untrusted data. The vulnerability has been assigned CWE-502 (Deserialization of Untrusted Data). It received a CVSS v3.1 base score of 8.8 (High) from NIST with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while SolarWinds assigned a score of 8.9 (High) with vector CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L (NVD, ZDI Advisory).

An unauthorized attacker who has network access to the Orion Patch Manager Web Console could potentially exploit this vulnerability to execute arbitrary code in the context of NETWORK SERVICE and compromise the server. The vulnerability allows for high impacts on confidentiality, integrity, and availability of the affected system (ZDI Advisory).

SolarWinds has released version 2020.2.6 of Patch Manager to address this vulnerability. Users are advised to upgrade to this version to mitigate the risk (SolarWinds Advisory).