Documentation forServ-U MFT & Serv-U FTP Server

Serv-U File Server 15.3.1 release notes

Release date: May 17, 2022

These release notes describe the new features, improvements, and fixed issues in SolarWinds Serv-U File Server 15.3.1. They also provide information about upgrades and describe workarounds for known issues.

If you are looking for previous release notes for Serv-U File Server, see Previous Version documentation.

For details about the latest hotfixes, see Serv-U hotfixes.

Additional Serv-U documentation includes:

New features and improvements

TLS 1.3 support introduced

Crypto library OpenSSL has been upgraded to version 3.0.2 in Serv-U File Server 15.3.1. As part of this update, TLS 1.1, TLS 1.0 and SSLv3 protocols have been deprecated and TLS 1.3 has been introduced.

Log Zipped Download option

Serv-U File Server 15.3.1 introduces an option to log messages pertaining to zipped folder or multiple file downloads.

To enable this go to Domain Activities Settings, User Properties - Logging or Group Properties - Logging, depending on the level at which you want apply this option, and check or uncheck the Zipped Downloads checkbox. When enabled, messages related to the download of a folder or multiple files are logged to the logfile and screen (the bottom pane of the Serv-U Management Console).

Folders or multiple files are downloaded as ZippedDownload.zip

Zipped Download events

The MFT version of Serv-U File Server 15.3.1 introduces two new events: Zipped File Download and Zipped File Download Failed. These can be used in same way as existing event types to trigger event actions such as email notifications, balloon tip alerts or posts to the Windows Event Log or Microsoft Message Queue (MSMQ).

For information on creating events, see Global Properties: Events, Domain Properties: Events, Group Properties: Events or User Properties: Events.

Serv-U File Server 15.3.1 also includes the additional upgrades, fixes and improvements:

  • Serv-U generates a unique default certificate during installation in the Windows Certificate store
  • New Serv-U Client applies configuration from limits and settings in management console
  • Custom logo option for new Serv-U client
  • Improvements for login page with custom html/css
  • Language selection on login page has been fixed
  • Authentication fix for configuration behind load balancer
  • New variable $FileShareToken introduced that can be used in download/upload events
  • Removal of DSA 2048 and 4096 SSH private keys

Upgrade notes

Licensing

The Serv-U licensing framework has been updated since Serv-U 15.2.3 and a new license key now needs to be used to activate this product version.

If your Serv-U product maintenance is active, you can find your new license key generated on customer portal. Use this new license key to activate Serv-U after installation. SolarWinds strongly recommend that you upgrade to this version with the new licensing framework as older framework will not be supported in the future.

Password security

If you are upgrading from version 15.1.7 or older, increased password security and automatically converts existing MD5 passwords using a more secure algorithm when users connect for the first time after upgrade.

If an account is not used within 90 days of the upgrade, access will be restricted and the user will not be able to log in afterward. The administrator will be required to change their password.


Fixed issues

Serv-U 15.3.1 fixes the following issues:

Case number Description
00990668, 00993095, 01011232, 01028130, Custom logo is now displayed correctly on the new web client page.
n/a DSA 2048 and 4096 encryption removed.

00968805, 00973872, 00984285, 00987529, 00990535, 00990707, 00991413, 00991733, 00992394, 00993023, 00994050, 00994294, 00995161, 00997623, 00998466, 01000476, 01000586, 01002699, 01004913, 01005856, 01006963, 01017417.

Log-in issue with ERROR: Operation was not successful" message after upgrade to 15.3 resolved.
00979009 Domain admin user can longer get read access to other domains.

00990677, 00993754, 00996374, 01018548, 01025397,

Custom HTTP Login Page Text no longer defaults to English.
00991117, 00996668, 00997357, 01005070, 01050853 File share - management console configuration issues corrected.
00984650, 01045154, 01055707, Download Log Button fixed.
01005016 Serv-U correctly deals with issuing an unauthenticated URL with non-empty dir param.
00990782 Disabling "Use System Browser" works correctly.

SolarWinds CVEs

SolarWinds would like to thank our Security Researchers below for reporting on this issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

CVE-ID Vulnerability Title Description Severity Credit
CVE-2021-35249 Domain Admin Broken Access Control "This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains that they should not have access to. Please note the admin is unable to modify the data (read only operation). This UAC issue leads to a data leak to unauthorized users for a domain, with no log of them accessing the data unless they attempt to modify it. This read only activity is logged to the original domain and does not specify which domain was accessed." Medium N/A

Deprecation notices

In Serv-U 15.3.1, the following platforms and features are deprecated.

Deprecated platforms and features are still supported in the current release. However, they will be unsupported in future release. Plan on upgrading deprecated platforms, and avoid using deprecated features. Customizations applied to a deprecated feature might not be migrated if a new feature replaces the deprecated one.

See the End of Life Policy for information about SolarWinds product life cycle phases. To see EoL dates for earlier Serv-U versions, see Serv-U release history.

Deprecations
Java-based Serv-U web client modules FTP Voyager JV and Web Client Pro will shortly be discontinued. However, these modules are still available in version 15.3.1 together with new Serv-U web client to support migration path.

Legal notices

© 2022 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.