At line 1 changed one line |
!!Updating CrushFTP |
!!!Minimum safe CrushFTP version is 10.8.3. (Regularly updating is critical and we make that as easy as possible.) |
---- |
!!Regarding 10.8.3 and the CrushFTP vulnerability related to emailed password change links...CVE will be coming later.\\ |
\\ |
!!Regarding 10.7.1 and the CrushFTP exploit allowing access to system files __CVE-2024-4040__ . Using a DMZ proxy in front of your main CrushFTP would have protected you in this scenario. The vulnerability allowed an attacker to retrieve system files.\\ |
(CREDIT:Simon Garrelou, of Airbus CERT, read more here [https://github.com/airbus-cert/CVE-2024-4040|https://github.com/airbus-cert/CVE-2024-4040] )\\ |
\\ |
!!REGARDING 10.6.0 and the recent global SSH vulnerability which also affected CrushFTP! (not CrushFTP specific, but we are affected just like ALL other server vendors): CVE-2023-48795 |
Read more about it here: [https://terrapin-attack.com/]\\ |
[https://jfrog.com/blog/ssh-protocol-flaw-terrapin-attack-cve-2023-48795-all-you-need-to-know/|https://jfrog.com/blog/ssh-protocol-flaw-terrapin-attack-cve-2023-48795-all-you-need-to-know/] \\ |
\\ |
!!REGARDING 10.5.6 and the recent global SSH vulnerability which also affected CrushFTP! (not CrushFTP specific, but we are affected just like most other server vendors) |
Read more about it here: [https://eprint.iacr.org/2023/1711.pdf]\\ |
\\ |
!!REGARDING THE RECENT VULNERABILITY ANNOUNCEMENT NOVEMBER 16, 2023! |
If your CrushFTP is lower than 10.5.5, you are vulnerable to an exploit that was responsibly disclosed. It is not known to be in he wild, but its severe and everyone must update immediately. All versions of CrushFTP...v4/v5/v6/v7/v8/v9/v10 were affected by this. CrushFTP v11 is not affected by this as it has been patched before its first public release. One part of the vulnerability allows an attacker to gain access simply by knowing the admin username, and the other parts when used together allows an attacker who has a non privileged account to gain access to files outside their VFS which can then be in turn used to login as a more privileged user. CVE release is pending. Credit goes to the UK NCSC.\\ |
\\ |
!!REGARDING THE RECENT VULNERABILITY ANNOUNCEMENT AUGUST 10, 2023! (CVE-2023-43177) |
\\ |
If your CrushFTP version is less then 10.5.1, you are vulnerable. No exception. Look at your version number on the dashboard, and it must be 10.5.1 or higher to be safe. For reference, v6, v7, v8,v9...those numbers are less than v10.5.1. Yes, they are vulnerable! Anything below 10.5.1 is vulnerable.\\ |
This vulnerability is critical because it does NOT require any authentication. It can be done anonymously and steal the session of other users and escalate to an administrator user. Its critical everyone updates ASAP! 10.5.2 changes other defaults related to loading DB drivers that are not in your classpath has also changed. This means if your DB drivers are not part of your plugins/lib folder, they will not be loaded by CrushFTP. (Statistics DB if you changed it, SQL Users if you are using that, etc.)\\ |
\\ |
__IMPORTANT: due to the security updates since CrushFTP version 10.5.2+ any JDBC driver jar file needs to be placed into the CrushFTP10/plugins/lib/ directory, or it won't load. In case of a server previously configured using an external SQL user DB, this new feature prevents access on next launch, will need to move the jar file, then edit prefs.XML, update the <db_driver> key value like\\ |
{{{<db_driver>./mssql-jdbc-12.4.0.jre11.jar</db_driver>}}} |
At line 26 added 4 lines |
\\ |
\\ |
!!Updating CrushFTP v10 |
|
At line 9 changed one line |
|
\\ |
[{Image src='minor_update.jpg' width='1080' height='..' align='left' style='..' class='..' }]\\ |
\\ |
At line 11 changed 2 lines |
1.) Download CrushFTP10.zip from our download page. (https://www.crushftp.com/early10/CrushFTP10.zip)\\ |
2.) Give it the specific name `CrushFTP10_new.zip` and place this in the CrushFTP main folder. (Same location where you have your prefs.XML file)\\ |
1.) Download CrushFTP10.zip from our download page. ([https://www.crushftp.com/early10/CrushFTP10.zip|https://www.crushftp.com/early10/CrushFTP10.zip])\\ |
2.) Give it the specific name `CrushFTP10_new.zip` and place this in the CrushFTP main folder. (Same location where you have your CrushFTP.jar file)\\ |
At line 24 changed 5 lines |
\\ |
\\ |
!!REGARDING THE RECENT VULNERABILITY ANNOUNCEMENT! |
\\ |
If your CrushFTP version is less then 10.5.1, you are vulnerable. No exception. Look at your version number on the dashboard, and it must be 10.5.1 or higher to be safe. |
!!Updating an old CrushFTP v9 |
You must upgrade: [CrushFTPUpgrade]\\ |
You need a v10+ license code first! If you are an enterprise customer, contact us for your code. Its free if your maintenance is current. |