Hey folks, this is Brian M. Jacobs, Senior Product Manager for the WhatsUp Gold family of network management products. I would like to let you know that a security researcher (who has been a big fan of WhatsUp Gold for many years) has informed us of a SQL injection vulnerability in the WhatsUp Gold v15.0.2 product. This vulnerability involves WhatsUp Gold running in a default deployment, in which administrators have privileged access to the database instance. For customers who wish to restrict access to their database, we already provide the capability to configure WhatsUp Gold to run with reduced database privileges. Details on how to implement reduced privilege operation can be found in our Database Migration and Management Guide. Based on our customers’ input, we are also working on security patches to limit all SQL injection related vulnerabilities, regardless of database privilege level.
This is a great opportunity to discuss the commitment of Ipswitch and WhatsUp Gold to application security and software hardening.
We have always recommended that WhatsUp Gold be deployed behind firewalls as to not be directly accessible by hackers and malicious attacks from the Internet, which continues to be our firm deployment recommendation. We take the security of the product and the data stored within it very seriously; Ipswitch has invested and will continue to invest a great deal of time and energy to ensure that WhatsUp Gold remains a safe and reliable solution for IT management. These ongoing efforts include:
- integrating a multifaceted threat modeling practice into our software design and development processes.
- employing industry-leading third party products and services to scan, test, and review our software for security issues and potential vulnerabilities.
- closely tracking industry security postings and resources to keep abreast of new and evolving threats that could impact our solutions or our customers.
- focusing on documenting best practices and recommendations for secure deployments.
- regularly training our support and development staff on security issues and best practices for addressing them.
Network and application security also requires a partnership between vendors (like Ipswitch) who provide the application software, and our users. We include extensive information on configuration recommendations and best practices in our product documentation to make securing your WhatsUp Gold solution as simple as possible. Of course, our highly-trained support staff is available to assist when needed.
To wrap up, we recognize that no sophisticated software offering can be considered completely free of security concerns. However, Ipswitch is committed to our customers, partners, and prospects to ensure that WhatsUp Gold is as secure and reliable as possible. We actively encourage input from our customers, partners, and independent security researchers on threats and concerns, and we openly share the information we have as it becomes available. I thank you for all the support we have received from our users, partners, and employees, and we are looking forward to your continued participation.