April 19th, 2024
CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0. Customers using a DMZ in front of their main CrushFTP instance are protected with its protocol translation system it utilizes. (CREDIT:Simon Garrelou, of Airbus CERT)
IMPORTANT: due to the security updates since CrushFTP version 10.5.2+ any JDBC driver jar file needs to be placed into the CrushFTP10/plugins/lib/ directory, or it won't load. In case of a server previously configured using an external SQL user DB, this new feature prevents access on next launch, will need to move the jar file, then edit prefs.XML, update the <db_driver> key value like
<db_driver>./mssql-jdbc-12.4.0.jre11.jar</db_driver>
Updating CrushFTP v10#
How to update CrushFTP within the same major version number:#
1.) Login to the dashboard using your "crushadmin" equivalent user in the WebInterface.2.) Click on the about tab.
3.) Click Update, Update Now.
4.) Wait roughly 5 minutes for the files to download, unzip, and be copied in place. CrushFTP will auto restart once done.
5.) Finished.
Installing an offline update when the server cannot reach our server over the internet directly:#
1.) Download CrushFTP10.zip from our download page. (https://www.crushftp.com/early10/CrushFTP10.zip)2.) Give it the specific name `CrushFTP10_new.zip` and place this in the CrushFTP main folder. (Same location where you have your prefs.XML file)
3.) See above normal instructions as Crush will use your local offline zip file.
How to restore a backup in the event of some issue or regression in functionality:#
(CrushFTP automatically creates a backup of its core files in the CrushFTP folder, backup folder.)1.) Restore the CrushFTP.jar file.
2.) Restore the plugins folder.
3.) Restore the WebInterface folder...mainly the CrushTunnel.jar file from inside it.
Changelog: https://www.crushftp.com/version10_build.html
#
Updating an old CrushFTP v9#
You must upgrade: CrushFTPUpgradeYou need a v10+ license code first! If you are an enterprise customer, contact us for your code. Its free if your maintenance is current.
All prior versions of CrushFTP were also affected by this most recent vulnerability.
CrushFTP v10 info: https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update
Add new attachment
List of attachments
Kind | Attachment Name | Size | Version | Date Modified | Author | Change note |
---|---|---|---|---|---|---|
jpg |
minor_update.jpg | 356.6 kB | 1 | 05-Dec-2023 05:32 | Ada Csaba |