Emergency Directive 21-01 – Supplemental Guidance v2 – Mitigate SolarWinds Orion Code Compromise.
Original Release Date: December 30, 2020
This guidance supplements the Emergency Directive (ED) 21-01 and Supplemental Guidance v1 issued on December 18, 2020.
Specifically, all federal agencies operating versions of the SolarWinds Orion platform other than those identified as “affected versions” below are required to use at least SolarWinds Orion Platform version 2020.2.1HF2. The National Security Agency (NSA) has examined this version and verified that it eliminates the previously identified malicious code. Given the number and nature of disclosed and undisclosed vulnerabilities in SolarWinds Orion, all instances that remain connected to federal networks must be updated to 2020.2.1 HF2 by COB December 31, 2020. CISA will follow up with additional supplemental guidance, to include further clarifications and hardening requirements.
| Orion Platform Version | Continued use of SolarWinds Orion permitted at this time | Update required? |
|---|---|---|
| Affected versions: 2019.4 HF5, 2020.2 RC1, 2020.2 RC2, 2020.2, 2020.2 HF1 (should be powered down or removed from networks based on ED 21-01) | No | N/A |
| All other versions that are currently online (if the instance did not previously use an affected version) | Yes | Yes (2020.2.1HF2) |
