ARM 2024.3.1 release notes
Release date: September 12, 2024
Access Rights Manager 2024.3.1 is a service release providing bug and security fixes for release 2024.3. For information about the 2024.3 release, including EOL notices and upgrade information, see Access Rights Manager 2024.3 Release Notes.
Fixes
| Case number | Description |
|---|---|
|
01443343, 01572081 |
The Accounts screen in the Access Rights Manager application now displays the correct account information when you add or delete multiple accounts from a SharePoint group. |
|
N/A |
An error message no longer displays after you perform an Active Directory (AD) or File Server (FS) scan. |
|
01719845 |
After you restart the ARM Service, the GrantMA workflows in the Access Rights Manager Workflows tab now display in the tab window. |
|
01721548, 01736092 |
You can now access the Connection tab in the Settings menu. |
|
01721505, 01721609, |
ARM server host names that include numbers no longer break the connection between the ARM server and the collector. |
|
01331492, 01677939 |
An exception message no longer displays after you update the ARM server to version 2024.3. |
CVEs
Last updated: Sept 9th, 2024
SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.
SolarWinds CVEs
| CVE-ID | Vulnerability Title | Description | Severity | Credit |
|---|---|---|---|---|
| CVE-2024-28990 | SolarWinds Access Rights Manager (ARM) Hardcoded Credentials Authentication Bypass Vulnerability | SolarWinds Access Rights Manager (ARM) was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability would allow access to the RabbitMQ management console. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. . | 6.3 Medium | Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative |
| CVE-2024-28991 | SolarWinds Access Rights Manager (ARM) Deserialization of Untrusted Data Remote Code Execution | SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. | 9.0 Critical | Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative |
Known issues
Last updated:
Configwizard error
In some cases where the ARM server fails to restart automatically after the update, an error occurs in the basic config while configuring the Rabbit MQ credentials.
Resolution or workaround: Manually restart the ARM service. If the error persists, delete the pnServer.messaging.config.xml file and restart the ARM service
Exchange scan fails
When you run a scan on Microsoft Exchange, the scan fails and the following message is displayed on your screen:
Abnormal process termination
Resolution or workaround: SolarWinds recommends repairing the ARM installation, as the account is set for the Exchange scan in ARM. For additional workarounds, contact SolarWinds Technical Support.
This issue is still under investigation.
Collectors do not reconnect to the ARM server after you restart the ARM Service
When you restart the ARM Service on the ARM server, the collectors do not reconnect to the ARM server.
Resolution or workaround: Restart the ARM Service on each collector machine. Repeat this process until each collector connects to the ARM Server. See ARM collectors do not connect after the update to ARM 2024.3 located on the SolarWinds Support website for instructions.
Legal notices
© 2024 SolarWinds Worldwide, LLC. All rights reserved.
This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.