Redgate logo for print use

Overview

Redgate’s end-to-end Database DevOps solutions

Test Data Management

Reliable test data management, automating repetition out of the process

Automate

Automate and accelerate your database change management workflow

Monitor

Monitor your cross-database, multi-platform estate to ensure optimal performance

Redgate Test Data Manager

Improve your release quality and reduce your risk, with the flexibility to fit your workflow

Flyway

Automate database deployments across teams and technologies

Redgate Monitor

Understand server performance in an instant with fast deep-dive analysis

See all our products

Security vulnerability in SQL Monitor (CVE-2020-15526)

8th July 2020

Summary

SQL Monitor versions 7.1.4 to 10.1.6 (inclusive) have a security vulnerability whereby the scope for disabling some TLS security certificate checks can extend beyond that defined by various options in the Configuration > Notifications pages to disable certificate checking for alert notificartions. These TLS security checks were also ignored whenever VMware machines were being monitored.

This would make SQL Monitor vulnerable to potential man-in-the-middle attacks when sending alert notification emails, posting to Slack or posting to webhooks.

What's the risk?

A person performing man-in-the-middle attacks between SQL Monitor's base monitor and any of the following could potentially gain access to information present in alert notifications, including the names of monitored servers and databases, and the SMTP server credentials or exact URLs used to post these alerts:

In addition, if monitoring any SQL Server instances running on a VMware guest OS, the communication between SQL Monitor and the VMware hypervisors or VCenter servers could potentially be intercepted.

Communications between SQL Monitor and the Windows servers and SQL Server instances are not affected by this vulnerability, and Windows or SQL authentication credentials are not at risk. The SQL Monitor web server is not affected by this vulnerability, nor is traffic between users' browsers and SQL Monitor.

This vulnerability carries a CVSS 3.1 score of 4.7 (medium).

How can I resolve this vulnerability

SQL Monitor 10.1.7 fixes this vulnerability. This is a free upgrade for all licensed users of SQL Monitor 10.

If you cannot upgrade to SQL Monitor 10.1.7, the issue can be avoided by disabling any of the "Ignore SSL or TLS certificate errors" options for email or webhook notifications, and avoid monitoring SQL Server instances running on VMware guest OSes. A restart of the SQL Monitor base monitor will also be required.

How does Redgate ensure its products are secure?

All our product teams receive training in secure development practices, and we peer review all code changes. We use extensive suites of automated checks.

Unfortunately, vulnerabilities do occasionally occur. We aim to fix and announce them promptly when we discover them, and provide information on our website when this happens. You can find out more in our product security policy.