We recently discovered a security vulnerability in SQL Monitor.
This issue has been assigned the Common Vulnerabilities and Exposures ID CVE-2015-9098.
This vulnerability would have made it possible for an attacker with network access to the web application or Base Monitor components of SQL Monitor to access information or perform actions without authorization.
This discovery was made in-house: we don't have any examples of anyone exploiting this vulnerability.
We're really sorry this has happened. We're continuing to work with security experts to make sure we handle this incident in the safest way possible for our customers and users.
We have discovered that the connection between the SQL Monitor web application and the Base Monitor service can be compromised.
This vulnerability exists in all released versions of SQL Monitor.
Note that this vulnerability does not exist in SQL Response, an older monitoring product that has been retired.
An attacker could circumvent SQL Monitor’s user role authentication mechanism (as described at http://documentation.red-gate.com/display/SM4/Managing+user+roles).
A determined attacker could create a malicious endpoint (e.g. a custom client, server, or proxy) to gain access to additional data communicated to and stored by a vulnerable Base Monitor service.
The following are additional mitigating factors:
We have made fixes available in both the v3 and v4 release streams of SQL Monitor.
Any SQL Monitor customer can upgrade to either of these releases, regardless of their support status.
Note: Under some circumstances, the SQL Monitor installer can report an error message "Port is not available". If you encounter this error, you will need to stop the SQL Monitor Windows services before you run the installation.
SQL Monitor [*] Base Service" (and, if you're using SQL Monitor's own web server "
SQL Monitor [*] Web Service") - where
[*]stands for the version you have installed.
If you are unable to upgrade SQL Monitor, then you could instead secure the port on the machine running the Base Monitor, to only allow connections from the web server running the SQL Monitor web application. The port used is configured during installation: the default port is 7399, but you can check this via the SQL Monitor UI (go to Configuration -> About).
Please note that, due to the wide variety of firewall technologies, Redgate cannot offer customer support on firewall configuration settings.
For SQL Monitor v4 customers upgrading to SQL Monitor v4.2:
For SQL Monitor v2 or v3 customers, upgrading to SQL Monitor v4.2:
For SQL Monitor v3 customers upgrading to SQL Monitor v3.10:
For SQL Monitor v2 customers, upgrading to SQL Monitor v3.10: