CVE-2021-35222 – CVE-2021-35222 is a reflected cross-site script... (How to Fix)

Q: What is the severity of CVE-2021-35222?

CVE-2021-35222 has a CVSS score of 8.0 (HIGH). CVE-2021-35222 is a reflected cross-site scripting (XSS) vulnerability in SolarWinds Orion Platform that allows attackers to impersonate authenticated users and execute arbitrary JavaScript code. This can lead to remote code execution (RCE) through the Alerts Settings page. Organizations running affected SolarWinds Orion Platform versions are vulnerable.

📋 TL;DR

CVE-2021-35222 is a reflected cross-site scripting (XSS) vulnerability in SolarWinds Orion Platform that allows attackers to impersonate authenticated users and execute arbitrary JavaScript code. This can lead to remote code execution (RCE) through the Alerts Settings page. Organizations running affected SolarWinds Orion Platform versions are vulnerable.

💻 Affected Systems

Products:

SolarWinds Orion Platform

Versions: 2020.2.5 and earlier versions

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Alerts Settings page specifically. Requires user interaction (clicking malicious link) but can lead to RCE.

📦 What is this software?

Orion Platform by Solarwinds

View all CVEs affecting Orion Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via remote code execution, allowing attackers to execute arbitrary commands, steal credentials, and pivot to other systems.

🟠

Likely Case

Session hijacking, privilege escalation, and unauthorized actions performed by attackers impersonating legitimate users.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and security controls in place.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited through web interfaces accessible from the internet.

🏢 Internal Only: HIGH - Even internally accessible systems are vulnerable to authenticated attackers or those who can lure users to malicious links.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking authenticated users into clicking malicious links but leads to significant impact.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2020.2.6 Hotfix 1 or later

Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35222

Restart Required: Yes

Instructions:

1. Download and install Orion Platform 2020.2.6 Hotfix 1 or later. 2. Apply all security patches. 3. Restart Orion services. 4. Verify installation via version check.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement proper input validation and output encoding for user-supplied data in web applications.

Web Application Firewall (WAF) Rules

all

Deploy WAF rules to detect and block XSS payloads targeting the Alerts Settings page.

🧯 If You Can't Patch

Restrict access to Orion Platform to trusted networks only.
Implement strong authentication and session management controls.

🔍 How to Verify

Check if Vulnerable:

Check Orion Platform version via web interface or command line. Versions 2020.2.5 and earlier are vulnerable.

Check Version:

Check web interface or run: Get-ItemProperty -Path 'HKLM:\SOFTWARE\SolarWinds\Orion' -Name 'Version' (Windows)

Verify Fix Applied:

Verify installation of Orion Platform 2020.2.6 Hotfix 1 or later and test Alerts Settings page functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript execution in web logs
Suspicious requests to Alerts Settings page with XSS payloads

Network Indicators:

HTTP requests containing XSS payloads targeting /Orion/AlertSettings.aspx

SIEM Query:

source="web_logs" AND uri="/Orion/AlertSettings.aspx" AND (payload="<script>" OR payload="javascript:")

📊 Metadata

CVE ID: CVE-2021-35222

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

CWE: CWE-79

Published: August 31, 2021

Last Updated: November 21, 2024

🔗 References

https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm Vendor Advisory
https://support.solarwinds.com/SuccessCenter/s/article/Mitigate-the-Resource-aspx-Reflected-Cross-Site-Scripting-Vulnerability-CVE-2021-35222?language=en_US Mitigation,Patch,Vendor Advisory
https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2020-2-6-Hotfix-1?language=en_US Patch,Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35222 Vendor Advisory
https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm Vendor Advisory
https://support.solarwinds.com/SuccessCenter/s/article/Mitigate-the-Resource-aspx-Reflected-Cross-Site-Scripting-Vulnerability-CVE-2021-35222?language=en_US Mitigation,Patch,Vendor Advisory
https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2020-2-6-Hotfix-1?language=en_US Patch,Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35222 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35222, you might also want to check these: