Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
jpg
minor_update.jpg 356.6 kB 1 05-Dec-2023 05:32 Ada Csaba

This page (revision-36) was last changed on 03-Sep-2024 14:34 by Sandor

This page was created on 05-Dec-2023 05:32 by Ben Spink

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Difference between version and

At line 1 changed 5 lines
!!!Minimum safe CrushFTP version is 10.5.6. (Regularly updating is critical and we make that as easy as possible.)\\
Video covering the simple update process: [https://youtu.be/2pKyYxGJEwE]\\
----
!!REGARDING 10.5.6 and the recent global SSH vulnerability which also affected CrushFTP! (not CrushFTP specific, but we are affected just like most other server vendors)
Read more about it here: [https://eprint.iacr.org/2023/1711.pdf]\\
__April 19th, 2024 - CVE-2024-4040\\
CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0. Customers using a [DMZ] in front of their main CrushFTP instance are partially protected with its protocol translation system it utilizes. A DMZ however does not fully protect you and you must update immediately. (CREDIT:Simon Garrelou, of Airbus CERT)__\\
At line 7 changed 2 lines
!!REGARDING THE RECENT VULNERABILITY ANNOUNCEMENT NOVEMBER 16, 2023!
If your CrushFTP is lower than 10.5.5, you are vulnerable to an exploit that was responsibly disclosed. It is not known to be in he wild, but its severe and everyone must update immediately. All versions of CrushFTP...v4/v5/v6/v7/v8/v9/v10 were affected by this. CrushFTP v11 is not affected by this as it has been patched before its first public release. One part of the vulnerability allows an attacker to gain access simply by knowing the admin username, and the other parts when used together allows an attacker who has a non privileged account to gain access to files outside their VFS which can then be in turn used to login as a more privileged user. CVE release is pending. Credit goes to the UK NCSC.\\
!!FAQ:
•If I'm on v10.7.1...do I need to upgrade to v11? No, just update v10 to v10.7.1.\\
•If I'm on v10.6.1, or v10.3, or v10.5.5, am I vulnerable? Yes! Update immediately to 10.7.1.\\
•Can you tell me how I can check if I have been exploited? Not really..the nature of this was common words that could be in your log already. So there is no silver bullet search term to check for. Looking for "<INCLUDE" is an indicator.\\
•If I have a DMZ am I safe? NO! As of April 22, we have changed our opinion on this. A DMZ does not fully protect you.\\
•If I only have my SFTP port exposed to the internet but not any web ports...am I safe? Yes, this exploit specifically works with the WebInterface port.\\
At line 10 removed one line
!!REGARDING THE RECENT VULNERABILITY ANNOUNCEMENT AUGUST 10, 2023! (CVE-2023-43177)
At line 12 changed 5 lines
If your CrushFTP version is less then 10.5.1, you are vulnerable. No exception. Look at your version number on the dashboard, and it must be 10.5.1 or higher to be safe. For reference, v6, v7, v8,v9...those numbers are less than v10.5.1. Yes, they are vulnerable! Anything below 10.5.1 is vulnerable.\\
This vulnerability is critical because it does NOT require any authentication. It can be done anonymously and steal the session of other users and escalate to an administrator user. Its critical everyone updates ASAP! 10.5.2 changes other defaults related to loading DB drivers that are not in your classpath has also changed. This means if your DB drivers are not part of your plugins/lib folder, they will not be loaded by CrushFTP. (Statistics DB if you changed it, SQL Users if you are using that, etc.)\\
\\
__IMPORTANT: due to the security updates since CrushFTP version 10.5.2+ any JDBC driver jar file needs to be placed into the CrushFTP10/plugins/lib/ directory, or it won't load. In case of a server previously configured using an external SQL user DB, this new feature prevents access on next launch, will need to move the jar file, then edit prefs.XML, update the <db_driver> key value like\\
{{{<db_driver>./mssql-jdbc-12.4.0.jre11.jar</db_driver>}}}
!!Updating CrushFTP v11
At line 18 removed 4 lines
\\
\\
!!Updating CrushFTP v10
At line 32 changed 2 lines
1.) Download CrushFTP10.zip from our download page. ([https://www.crushftp.com/early10/CrushFTP10.zip|https://www.crushftp.com/early10/CrushFTP10.zip])\\
2.) Give it the specific name `CrushFTP10_new.zip` and place this in the CrushFTP main folder. (Same location where you have your prefs.XML file)\\
1.) Download CrushFTP11.zip from our download page. ([https://www.crushftp.com/early11/CrushFTP11.zip|https://www.crushftp.com/early11/CrushFTP11.zip])\\
2.) Give it the specific name `CrushFTP11_new.zip` and place this in the CrushFTP main folder. (Same location where you have your CrushFTP.jar file)\\
At line 43 changed one line
!Changelog: [https://www.crushftp.com/version10_build.html]\\
!Changelog: [https://www.crushftp.com/version11_build.html]\\
At line 45 changed one line
!!Updating an old CrushFTP v9
!!Updating an old CrushFTP v10,v9 and prior
At line 47 changed one line
You need a v10+ license code first! If you are an enterprise customer, contact us for your code. Its free if your maintenance is current.
You need a v11 license code first! If you are an enterprise customer, contact us for your code. Its free if your maintenance is current.
\\
All prior versions of CrushFTP were also affected by this most recent vulnerability.\\
CrushFTP v10 info: [https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update]\\
Version Date Modified Size Author Changes ... Change note
36 03-Sep-2024 14:34 2.985 kB Sandor to previous
35 01-Aug-2024 11:05 2.982 kB Sandor to previous | to last
34 22-Apr-2024 15:52 2.982 kB Ben Spink to previous | to last
33 22-Apr-2024 15:51 3.006 kB Ben Spink to previous | to last
32 22-Apr-2024 12:39 2.99 kB Ben Spink to previous | to last
31 22-Apr-2024 12:25 3.028 kB Ben Spink to previous | to last
30 22-Apr-2024 12:23 2.964 kB Ben Spink to previous | to last
29 19-Apr-2024 12:37 2.16 kB Ada Csaba to previous | to last
28 19-Apr-2024 12:36 2.157 kB Ada Csaba to previous | to last
27 19-Apr-2024 12:36 2.153 kB Ada Csaba to previous | to last
26 19-Apr-2024 12:34 2.604 kB Ada Csaba to previous | to last
25 19-Apr-2024 05:27 0.521 kB Ben Spink to previous | to last
24 19-Apr-2024 04:58 0.48 kB Ben Spink to previous | to last
23 28-Feb-2024 03:11 0.132 kB Ben Spink to previous | to last
22 28-Feb-2024 03:10 0.104 kB Ben Spink to previous | to last
21 27-Feb-2024 03:43 4.237 kB Ben Spink to previous | to last
« This page (revision-36) was last changed on 03-Sep-2024 14:34 by Sandor
G’day (anonymous guest)
CrushFTP11 | What's New

Referenced by
LeftMenu

JSPWiki