We recently discovered a security vulnerability affecting all versions of SQL Monitor up to 8.0.18, whereby an already-logged-in user of SQL Monitor who is tricked into visiting a malicious website or link could unknowingly be forced to perform actions in SQL Monitor, as well as to reveal some types of data to the attacker.
There is no evidence that this vulnerability has been exploited in the wild, and no customer data has been exposed as a result of it - this is not a data breach. We strongly advise all SQL Monitor users to patch this vulnerability by updating to the latest stable release, 8.0.19, at their earliest convenience.
This vulnerability affects all SQL Monitor versions up to and including version 8.0.18. You can find your current version by opening SQL Monitor, navigating to the Configuration tab, and clicking About. Version 8.0.19 which resolves this vulnerability was released as the new recommended stable release on October 10th 2018.
We strongly advise you update SQL Monitor to the latest stable version, which as of today is version 8.0.19. If you are currently running a licensed copy of SQL Monitor 8.0.0 & above, are in the process of evaluating SQL Monitor, or have an active Support & Upgrades plan, this is a free upgrade.
You should download the latest version here and update each copy of SQL Monitor you are running.
If you are unable to update at this time, either because you don’t have an active Support & Upgrades plan or because timing makes it impossible, we suggest mitigating the dangers of this attack by only accessing SQL Monitor from your browser’s Private Browsing / Incognito mode. This vulnerability can only be exploited by targeting browser sessions which are already logged in to SQL Monitor, so isolating your use of SQL Monitor to a private session dramatically reduces the likelihood of malicious content having access to the SQL Monitor browsing session.
If you do not have a current Support & Upgrades plan in place but would like to update, please contact firstname.lastname@example.org to discuss your options.
Some areas of SQL Monitor were found to be vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. If an already-logged-in user of SQL Monitor is tricked into visiting a malicious website or link, the attacker could perform actions in SQL Monitor, including adding / removing servers, as well as setting up custom metrics. They could also reveal some types of data - this would not directly include data from monitored servers, but could theoretically include monitoring data such as executed queries, which in some contexts could contain sensitive information.
To be successful, the attacker would also need to know the address of the SQL Monitor installation.
As well as rapidly patching these issues, all developers have taken part in mandatory multi-day security training to supplement training which was already in place. It remains our policy that all code is reviewed by at least one developer who hasn’t worked on it before being merged, which greatly reduces the likelihood of mistakes occurring.
In addition to significant security testing by the SQL Monitor team itself, we also engaged a third-party penetration testing company to conduct a further audit of SQL Monitor, which did not identify any additional issues.
We take security seriously, and will be considering other improvements to our processes to help make a vulnerability like this less likely in the future.