DPA 2025.2 release notes
Release date: May 27, 2025
Here's what's new in Database Performance Analyzer 2025.2.
Learn more
- See the DPA release notes aggregator to view release notes for multiple versions of DPA on a single page.
- See DPA 2025.2 system requirements to learn about prerequisites for running and installing DPA 2025.2.
- See the DPA 2025.2 Administrator Guide to learn how to work with DPA.
New features and improvements in DPA
Last updated: June 17, 2025
AI Query Assist tech preview
DPA 2025.2 introduces AI Query Assist for SQL Server monitored instances, offered as a tech preview. This feature leverages SolarWinds AI to rewrite queries with the goal of improving the query's performance. For SQL Server targets, you can request a query optimization from the new AI Query Assist tab on the Query Detail page.
Optimization requires the selection of a SQL plan that SolarWinds AI will use along with the SQL text as input for its optimization suggestion. The feature is enabled if the monitored instance has a DBSH or DBSHDS license allocated and DPA's Platform Connect is configured with AI Query Assist enabled.
This feature's limits are 4 query optimizations per 24 hours for each monitored instance, and re-optimization of a query/plan combination can be done after 30 days. See Request optimization suggestions for a query from SolarWinds AI.
Support for IPv6
DPA 2025.2 supports IPv6 addresses in place of any IPv4 address. You can use IPv6 addresses for the DPA repository or for a monitoring database.
When using IPv6 addresses in place of IPv4/hostname in DPA, it is best practice to specify the IPv6 address in square brackets as shown in the examples below:
http://[::1]:8080/
http://[fd43:6204:8306:c708:250:56ff:fe98:9474]:3000/
PostgreSQL plan collection for SQL with parametrized queries
DPA 2025.2 now collects PostgreSQL plans for SQL with parametrized queries (queries that use bind variables). The Table Tuning feature, which relies on plans as input, will now be able to provide richer tuning insights.
Support for verify_ca and verify_identity
For MySQL database instances that use secure socket layer (SSL) in communications with the DPA server, the verify_ca and verify_identity options are now supported. You can specify these options in the Advanced Connection Properties field in the registration dialog. See Register a MySQL or Percona MySQL database instance for details.
If you are upgrading from a previous version, you can specify these options in the Update DB Instance Connection Wizard.
Fixes
Last updated:
| Case number | Description |
|---|---|
| 01843089, 01870106, 01885232, 01921564, 01870106 | Db2 database monitoring works for multiple databases as expected during the Start monitoring action and Stop monitoring action. |
| 01812654, 01896220 | The CONMPT/CONPPT table column size was adjusted to fix Data Truncation errors. |
| 01837988 | LDAP login is successful when the AD group name is enclosed in curly brackets { }. |
| 01866638 | The Loading Query Advisor loading prompt under the Tuning tab works as expected. |
| 01918897 | Alerts now function for monitored instances registered with gMSA accounts. |
CVEs
Last updated: 5/27/2025
Third Party CVEs
| CVE-ID | Vulnerability Title | Description | Severity |
|---|---|---|---|
| CVE-2025-31650 | Apache Tomcat Improper Input Validation Vulnerability | Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue. | 7.5 High |
| CVE-2025-31651 | Apache Tomcat Improper Neutralization of Escape, Meta, or Control Sequences vulnerability | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue. | 9.8 Critical |
| CVE-2024-38820 | Spring Framework DataBinder Vulnerability | The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected. | 3.1 Low |
| CVE-2024-22259 | Spring Framework URL Parsing Vulnerability | Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input. | 8.1 High |
| CVE-2024-34750 | Apache Tomcat Denial of Service Vulnerability | Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue. | 7.5 High |
| CVE-2024-38286 | Apache Tomcat Throttling Vulnerability | Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process. | 8.6 High |
| CVE-2024-50379 | Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue. | 9.8 Critical |
| CVE-2024-52316 | Apache Tomcat Authentication Bypass Vulnerability | Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue. | 9.8 Critical |
| CVE-2024-54677 | Apache Tomcat Uncontrolled Resource Consumption Vulnerability | Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue. | 5.3 Medium |
Installation or upgrade
For new installations, you can download the installer from the SolarWinds website or from the Customer Portal. For more information, see the DPA Installation and Upgrade Guide.
For upgrades, use the DPA Installation and Upgrade Guide to help you plan and execute your upgrade. When you are ready, download the upgrade package from the SolarWinds Customer Portal.
Linux-based installations:
If you are upgrading from DPA 2024.4.200 or earlier to DPA 2025.2 on a Linux server, you must update the server.xml file.
See Upgrade DPA on Linux for instructions.
Windows-based installations:
If you are upgrading from DPA 2024.4.200 or earlier to DPA 2025.2 on a Windows server, the upgrade is handled by the installer. (The installer creates a new server.xml file and makes a backup of the previous server.xml file in the same location.)
However, if you added or changed any of the additional properties within the server.xml file in the past, you must manually update the new server.xml file created at C:\Program Files\SolarWinds\DPA\iwc\tomcat\conf\server.xml.
Known issues
Last updated: June 5, 2025
Naming SQL statements
After upgrading to DPA 2025.2, users can no longer name SQL statements. SQL statements that were named in a previous version retain their names, but new names cannot be assigned.
Resolution or workaround: This issue will be fixed in an upcoming service release.
End of life
Last updated:
| Version | EoL announcement | EoE effective date | EoL effective date |
|---|---|---|---|
| DPA 2023.2 | July 18, 2024 End-of-Life (EoL) announcement - Customers on DPA version 2023.2 or earlier should begin transitioning to the latest version of DPA. | October 18, 2024 End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2023.2 or earlier will no longer actively be supported by SolarWinds. | October 20, 2025 End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2023.2 or earlier. |
See the End of Life Policy for information about SolarWinds product life cycle phases. To see EoL dates for earlier DPA versions, see DPA release history.
Legal notices
© 2025 SolarWinds Worldwide, LLC. All rights reserved.
This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.