Submit a ticketCall us

WebinarWebinar: A checklist for planning your Network Performance Monitor (NPM) upgrade

Are you ready for your next upgrade? To help you plan smoothly, join this webcast to learn more about, SolarWinds® Orion® Installer, SolarWinds Upgrade Advisor, Upgrades Guides, Training Videos, and other resources available. We’ll share key upgrade planning considerations, lessons learned from customers with practical advice from SolarWinds Product Experts. We’ll also give practical tips to identify the estimated time needed and resources, how to prepare the business and IT staff for changes, ways to plan for required system changes, and more.

Register now.

Home > Success Center > Serv-U Managed File Transfer & Serv-U FTP Server > Serv-U - Knowledgebase Articles > Vulnerabilities for Serv-U 10 and later versions

Vulnerabilities for Serv-U 10 and later versions

Table of contents

Updated February 24, 2017

Overview

This article provides a list of vulnerabilities for Serv-U v10 and later versions.

Environment

Serv-U v10 and later

Detail

Vulnerabilities v10 or later (since May 17, 2010):

Our security team recommends that you run at least the minimum version listed below. At least one of the vulnerabilities listed below was present since Serv-U 1.0; do not put your company at risk by running an unpatched software.

  • Fixed in 15.1.1.108: OpenSSL libraries updated to 0.9.8zb. Additionally, SSLv2 and SSLv3 are disabled by default.
  • Fixed in 15.1.0.480: Several potential security issues. See the relevant release notes for details.
  • Fixed in 15.0.1.20: DOS vulnerability which could render Serv-U unresponsive.
  • Fixed in 15.0.0.0: Security issue allowing for possible SSL DOS attacks.
  • Fixed in 14.0.2.0: DOS vulnerability where clients could saturate Serv-U with SSL renegotiation requests that made Serv-U unresponsive.
  • Fixed in 12.1: DOS due to FTPS and HTTPS SSL/TLS session negotiation vulnerability. (Certain connections that failed to complete SSL negotiation could cause other connections to fail.) Also, DOS due to crash caused by certain ways of terminating web administration sessions.
  • Fixed in 11.3: DOS due to memory leak when certain HTTP/S and SFTP usernames attempted.
  • Fixed in 11.2: Escalation of privilege (wrong set of folder permissions) due to incorrect parsing of folder permission rules on remote shares.
  • Fixed in 11.1.0.5: Escalation of privilege (chroot jailbreak) due to incorrect parsing of folder commands. (Secunia SA47021; discovered by kingcope; present since v1.0.)
  • Fixed in 11.0.0.4: Cross-site scripting (XSS) in Web Client.
  • Fixed in 10.3.0.1: Unauthorized use due to improper password check in SFTP interface.
  • Fixed in 10.2.0.0: Escalation of privilege (grant self permission to virtual folder). Also DOS due to crash caused by improper Web Client URL parsing.

 

Last modified

Tags

Classifications

Public