San Antonio, TX – January 31, 2012 – Digital Defense, Inc. (DDI), a leading provider of managed cloud-based security assessments, disclosed a vulnerability within the LoginServlet page of the SolarWinds Storage Manager Server. This flaw could allow an attacker to extract sensitive information from the backend database using standard SQL injection exploitation techniques. Additionally, an attacker may be able to leverage this flaw to compromise the database server host operating system. DDI immediately notified SolarWinds of the finding.
DDI's Vulnerability Research Team (VRT), utilizing data provided by DDI's cloud- based FrontlineTM Solutions Platform (FSP), provides the analytic expertise necessary to quickly identify previously unknown vulnerabilities, commonly referred to as “Zero- Day” issues. Within recent months, DDI?s VRT has released multiple vulnerability disclosures, including those within widely used platforms such as the IBM® WebSphere® Application Server, the KnowledgeTreeTM Online Document Management System and HP JetDirect Embedded Web Server.
“One of the key advantages of our cloud-based FSP platform is the wealth of information it provides to our researchers for data-mining and vulnerability analysis. Using “big data” analytics, in conjunction with our responsible disclosure policy, allows us to effectively bolster security awareness within the DDI client community and beyond,” states Larry Hurtado, Digital Defense president and CEO. “In addition, our ability to rapidly embed this ongoing vulnerability intelligence into the FSP allows clients and DDI security analysts alike to rapidly identify and address issues on vulnerable platforms.”
DDI is currently collaborating with SolarWinds on the matter and will post more information regarding the issue to the DDI Labs Blog as it becomes available.