====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN079
_____________________________________________________________________

DATE                : 05/02/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Serv-U File Server versions prior
                                            to 15.2.2.

=====================================================================
https://documentation.solarwinds.com/en/success_center/servu/Content/Release_Notes/Servu_15-2-2_release_notes.htm
_____________________________________________________________________

Serv-U File Server 15.2.2 Release Notes

Release date: January 21, 2021

These release notes describe the new features, improvements, and fixed
issues in Serv-U File Server 15.2.2. They also provide information about
upgrades and describe workarounds for known issues.

If you are looking for previous release notes for Serv-U File Server,
see Previous Version documentation.

Additional Serv-U documentation includes:

    Serv-U Installation and Upgrade Guide
    Serv-U 15.2 Administrator Guide
    System Requirements
    Getting Started with Serv-U


New features and improvements

Serv-U 15.2.2 contains the following new features:

    Support for the following KEX algorithms (key exchange algorithms)
for SSH

        diffie-hellman-group-exchange-sha256
        diffie-hellman-group14-sha256
        diffie-hellman-group16-sha512

    OpenSSL has been updated
    Periodic buffer flush interval during SFTP file upload setting added
to Limits:

    To access this setting, navigate to the Limits and Settings screen
for Global or Domain, and select Advanced from the Limit Type dropdown.
The default is 300 seconds.

    Performance and stability improvements
    Security enhancements
    Serv-U 15.2.2 is signed with new code-signing certificate

If you upgrade from version 15.1.7 or older, 15.2.2 increases password
security and automatically converts existing MD5 passwords using a more
secure algorithm when users connect for the first time after upgrade.

If an account is not used within 90 days of the upgrade, access is
restricted and the user will not be able to log in afterward. The
administrator will be required to change their password.


Previous releases

For earlier Serv-U releases, please visit the Previous Versions page.


Fixed issues

Serv-U 15.2.2 fixes the following issues:


Case Number                         Description

n/a 	Public Key Authentication memory leak resolved.

658371, 654049, 645181,642642, 640814, 637749, 635320, 627109, 623216,
598885, 596970, 595555, 584662, 581139, 580863, 573286, 571535, 568615,
560739, 546652
	jQuery updated to 3.5.1 to avoid security vulnerability.

632492, 624270, 619235, 606383, 586950, 579071, 560739 	Issue resolved
where anti-hammer counting regression led to memory leaks and 100%CPU
consumption.

625116, 552322 	Minor logic issue with Argon2id password hashing
implementation fixed.

622549 	Serv-U Groups and Users being disabled and going down randomly

619978 	Serv-U account is disabled and cannot be reactivated in version
15.2.1 -IPG GIS INC.

606573 	Old password is incorrect when changing password for Serv-U web
client users.

605297 	Missing Content Security Policy

599765 	We are getting Invalid old password error.

594359 	Penetration testing has found a vulnerability

580065 	When Create a new user and force to change the password at next
login users get "old Password is Wrong".

579545 	Security Policy.

579071 	After upgrade ServU to latest 15.2.1 Service has been stopping.

573524 	jQuery Update on Serv-U Gateway.

563940 	%USER_FULL_NAME% does not get replaced correctly when used in
the Physical Path of a Virtual Path value.

557670 	The $FileSize variable is not correct.

556475 	Serv-U Version 15.2 User Password Issue.

549919 	backup consistently fails because of an aborted connection.

541643 	SSH/Data Streaming issues with Linux MFT.

513015 	Error receiving file, transfer is aborted before file is fully
received.

444013 	Failed uploading Large Files ( 2 GB).

351225 	Referrer-Policy and the Feature-Policy headers in Serv-U.

257327 	SFTP failed transfer "Error receiving file".

231205 	NSX manager failing to SSH into serv-u for vcenter backups.

225939 	Serv-U Memory Leak.

168793 	SFTP failed transfer via Cisco backup application.

127858 	Cisco CUCM failed to back up.


CVE issues

SolarWinds would like to thank our Security Researchers below for
reporting on these issues in a responsible manner and working with our
security, product, and engineering teams to fix the vulnerability.


CVE-ID 	Description 	Severity 	Credited 	Authenticated

2020-35482 	Reflective XSS 	High 	Nicolas Verdier,
Tehtris 	Yes

2020-35481 	Macro Injection 	Critical 	No

2020-27994 	Directory Traversal 	Medium 	Jack Misiura,
The Missing Link 	Yes

2020-28001 	Stored XSS 	High 	Yes


For Serv-U 15.2.1 fixes, see the 15.2.1 Release Notes.

For Serv-U 15.2 fixes, see the 15.2 Release Notes.



Legal notices

© 2021 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified,
decompiled, disassembled, published or distributed, in whole or in part,
or translated to any electronic medium or other means without the prior
written consent of SolarWinds. All right, title, and interest in and to
the software, services, and documentation are and shall remain the
exclusive property of SolarWinds, its affiliates, and/or its respective
licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS
OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING
WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR
USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL
SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES,
WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF
SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are
the exclusive property of SolarWinds Worldwide, LLC or its affiliates,
are registered with the U.S. Patent and Trademark Office, and may be
registered or pending registration in other countries. All other
SolarWinds trademarks, service marks, and logos may be common law marks
or are registered or pending registration. All other trademarks
mentioned herein are used for identification purposes only and are
trademarks of (and may be registered trademarks) of their respective
companies.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================