Headline
CVE-2019-12181: Serv-U File Server 15.1.7 Release Notes
A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.
Release date: April 25, 2019
These release notes describe the new features, improvements, and fixed issues in Serv-U File Server 15.1.7. They also provide information about upgrades and describe workarounds for known issues.
If you are looking for previous release notes for Serv-U File Server, see Previous Version documentation.
NPAPI is deprecated in Google Chrome. This means Web Client Pro will not function in Google Chrome. As a workaround, access Web Client Pro using another browser.
New features and improvements
Return to top
Serv-U 15.1.7 is a service release containing three hotfixes, and additional fixes, described here.
Previous releases
Serv-U 15.1.6 included the following new features and updates:
- Support for Explicit SSL when connected to SMTP server
- Support for HTTP Strict Transport Security
- Support for Elliptic-curve Diffie-Hellman (ECDH) key exchange
- Forward secrecy is enabled by default (new installations only)
- TLS 1.0 is disabled by default (new installations only)
- Disabled SSL/TLS ciphers based on 64-bit block size (new installations only)
- Support for Secure LDAP protocol (Windows installation only)
- Various fixes described in the Fixed Issues section.
Serv-U 15.1.5 was a service release containing security fixes, described in the Fixed Issues section.
Serv-U 15.1.4 was a service release containing two hotfixes, described in the Fixed Issues section.
Serv-U 15.1.3 was a service release containing two hotfixes, described in the Fixed Issues section.
For earlier Serv-U 15.x.x releases, please visit the Previous Versions page.
Fixed issues
Return to top
Serv-U 15.1.7 fixes the following issues.
Case Number
Description
423241
Fixed issue where writing files to disk could cause bottleneck
1197511
Corrected SSL error handling on Socket level
00063383
Fixed issue with service when sending download link to guest user
00068104
Corrected format for X-Csrf-Token HTTP header (FTP Voyager JV)
00159690
Fixed issue with ODBC database validation
00200302
CSRF issues resolved.
00186124
Can now add a user to a collection when the user exists in another collection
00204425
Serv-U no longer deletes incorrect files from directories with delete rules
00229117
Serv-U no longer response incorrectly when empty user name and password is used to log on
00284847
Issues in web management interface fixed
00061457
Special characters from E-mail notification template not sent correctly
00039051, 00081081, 00195143, 00263829, 00260387, 00218061, 1362493, 1338156
Updated jquery libraries
00054823, 1320710, 1335744
Files list returned corrected from LIST Command
00085995, 00201705
CVE-1999-0017 vulnerability fixed.
00187355, 00065590, 00053277, 00105077, 00123871
Multiple issues in SFTP protocol resolved
00240051, 00267281, 00260953, 00280283, 00285641
WinSCP upload issues resolved
n/a
Resolved a privilege escalation issue, logged as CVE-2018-19999 – with thanks to Chris Moberly at The Missing Link.
n/a
Resolved a privilege escalation issue, logged as CVE-2019-12181 – with thanks to Guy Levin (@va_start).
Serv-U 15.1.6 fixes the following issues.
Case Number
Description
961565, 1183341, 887731, 1123968, 1125053, 901145, 1091444, 1131439, 1080928, 796814, 799615, 787936, 1036534
Fixed an issue with limited top level domain.
1050275
Fixed an issue with long timeout where LDAP server was unavailable
166489, 1126605, 914000
Fixed an issue with SSH Ciphers description.
1186645, 979487
Fixed an impersonation issue during downloads.
1039205
Fixed an issue with password stale event.
1086638, 1209329
Fixed an issue with special characters in File Sharing notification template.
1129144, 1115351
Fixed a possible crash of Gateway.
1163543
Fixed an issue with user creation wizard.
1123779
Fixed a memory leak issue related to SFTP sessions.
1231876, 1233371, 1209874
Fixed broken links to support site.
1124857, 1181653, 1215831, 1223871, 1230986, 1241567, 1326419
Fixed an issue with bare line feed character.
Serv-U 15.1.5 fixes the following issues.
Case Number
Description
1110916
Fixed potential vulnerability with unauthenticated privilege escalation Reported by – Trustwave SpiderLabs Contact - Leopold von Niebelschuetz-Godlewski
904433, 804380
Fixed an issue with possibility of unauthorized access to the files in installation folder on web server. Reported by – www.netspi.com Contact - Cody Wass (Cody. [email protected])
1065565, 1061848, 1056263, 1054225, 1090081, 1045088
Fixed an issue where domain users were not able to login when ldap suffix was used.
741595
Fixed a memory leak issue that occurred during LDAP authentication.
951099, 1065736, 1022993
Fixed a memory leak issue that occurred during SFTP session.
882524, 909979, 871563, 867742, 867834, 981751, 877933
Fixed an issue with “Automatic idle connection timeout” limit.
Serv-U 15.1.4 fixes the following issues.
Case Number
Description
991668
ECDHE-RSA-AES256* ciphers shown as enabled or disabled correctly
954294
Long (encrypted) passwords issue fixed.
984664, 1003106, 993854
OpenSSL vulnerabilities - updated to 1.0.2h
932381
SHA-1 Cert deprecation (Previous cert was due to expire in January 2017)
984485, 887910, 741595
LDAP suffix issue fixed
844572, 894400, 953313, 910253, 881308, 914055, 990080
Web client Favorites fixed.
1005791, 1005383, 990956, 984664, 982577, 966856, 948270, 963296, 941118, 934566, 927375, 917616, 900288, 883047, 885033, 884883, 876306, 876820, 874853, 872968, 857502, 862922, 853433
Serv-U no longer freezes in FIPS mode during SFTP connections.
Serv-U 15.1.3 fixes the following issues.
Case Number
Description
872782, 864631
Case sensitivity issues occurred when configuring Directory Access rules.
n/a
An issue with LDAP public key authentication.
n/a
Memory leak occurs during LDAP authentication.
853136
An issue with the expired password change functionality.
868638
An issue with multi-line FTP responses for the FEAT command.
n/a
An issue with the possibility of SQL injection in the invitation link used by secure file sharing.
625348
An issue with the possibility of persistent cross-site scripting in file sharing.
n/a
An issue with the possibility of the injection of additional email headers using a crafter subject in an upload or download request.
Legal notices
Return to top
© 2019 SolarWinds Worldwide, LLC. All rights reserved.
This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.