Serv-U File Server 15.3.2 Release Notes
Release date: December 15, 2022
These release notes describe the new features, improvements, and fixed issues in SolarWinds Serv-U File Server 15.3.2. They also provide information about upgrades and describe workarounds for known issues.
If you are looking for previous release notes for Serv-U File Server, see Previous Version documentation.
For details about the latest hotfixes, see Serv-U hotfixes.
Additional Serv-U documentation includes:
- Serv-U Installation and Upgrade Guide
- Serv-U Administrator Guide
- System Requirements
- Getting Started with Serv-U
New features and improvements
Serv-U 15.3.2 offers the following new features and improvements compared to previous releases:.
Server Identity introduced to enhance security
Serv-U 15.3.2 introduces the concept of Server Identity. This attribute enables increased security by assigning each MFT server a unique server identity comprising the Server UID with a secret key. This Server Identity is used to provide enhanced encryption of third-party passwords, and can be shared among multiple instances of the same server (for example, in the case of load balancing where a master Serv-U instance with the same server definition is replicated across multiple hosts). See Creating, exporting, and importing the Server Identity in the Installation and Upgrade Guide for information.
Transition to Network Service from Local System
Prior to 15.3.2, the default account used by the Serv-U service was SYSTEM (also referred to as Local System). From the 15.3.2 release, the default account is NETWORK SERVICE for improved security. For further information, see the knowledge base article Running Serv-U under NETWORK SERVICE. (SolarWinds would like to thank security researcher Ken Pyle of CYBIR for reporting on this issue in a responsible manner and working with out security, product, and engineering teams to fix the vulnerability.)
Multi-language support for new Serv-U client and file sharing
The new Serv-U Web Client and File Sharing now support language select from English, German, French, Spanish, Portuguese, Serbian, Finnish, Norwegian, Russian, Danish, Simplified Chinese, Traditional Chinese, and Japanese.
Enhanced password encryption algorithm
All encryption types other than "one-way encryption" are now defined as vulnerable, and have been removed from the Domain Wizard and the Domain Limits and Settings - Passwords option. All new users are created to use "one-way encryption" and any previous domain or database users will be automatically re-encrypted to "one-way encryption".
The RFC compliance issue where a session without Carriage Return (CR) and a single Line Feed (LF) was allowed is now resolved. If you are using legacy Java clients, see the KB article SFTP connection not established for legacy Java clients.
jQuery library updated
Improved security and stability
The Serv-U licensing framework has been updated since Serv-U 15.2.3 and a new license key now needs to be used to activate this product version.
If your Serv-U product maintenance is active, you can find your new license key generated on customer portal. Use this new license key to activate Serv-U after installation. SolarWinds strongly recommend that you upgrade to this version with the new licensing framework as older framework will not be supported in the future.
If installing Serv-U 15.3.2 on a machine that has never had Serv-U installed, the Server Identity is automatically created.
If upgrading to Serv-U 15.3.2 from an earlier version, a pop-up message is displayed.
- For a single instance of Serv-U, or if you are creating the first of multiple instances in a multi-tier Serv-U Server, you should create a server identity.
- For a subsequent installations in a multi-tier Serv-U set-up, you need to import the server identity from the original instance.
See Creating, exporting, and importing the Server Identity in the Installation and Upgrade Guide for information.
If you are upgrading from version 15.1.7 or older, increased password security and automatically converts existing MD5 passwords using a more secure algorithm when users connect for the first time after upgrade.
If an account is not used within 90 days of the upgrade, access will be restricted and the user will not be able to log in afterward. The administrator will be required to change their password.
Third Party CVEs
|CVE-2022-3786||X.509 Email Address Variable Length Buffer Overflow||A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution.||High|
|CVE-2022-3602||X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602)||A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service).||High|
|CVE-2022-38106||Cross-Site Scripting Vulnerability in Serv-U Web Client||
This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1. This vulnerability affects the directory creation function.
|7.5 High||Balaji Ayyasamy|
|CVE-2021-35252||Common Key Vulnerability in Serv-U FTP Server||
Common encryption key is used across all deployed instances of Serv-U FTP Server. This could lead to a security risk relating to user accounts.
|6.5 Medium||SecureWorks Disclosure Team|
Serv-U 15.3.2 fixes the following issues:
|00831536, 00895820, 00996733, 01097499, 01162744||Serv-U groups containing special characters are being parsed as hexcode by Serv-U v15.2.3.|
|01002965||File Share nor working as indicated.|
|01055925||New web client file upload UI inconsistency with big files.|
|01085165||Empty Definition of a domain SSH Private Key blocks using the Server-wise defined Key.|
|01092560||User can upload files when the link is already expired.|
|01110002||Search resets correctly when navigating folders in web client.|
|01127650||Serv-U server restart at the special scenario.|
|01127910||Serv-U allows more TLS 1.2 cipher suites than it has at the configuration page.|
|n/a||Maximum number of file shares resolved.|
© 2022 SolarWinds Worldwide, LLC. All rights reserved.
This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.