We are announcing the latest release of SFTPPlus version 3.55.0.
This release includes a critical security issue for the Local Manager's web console GUI introduced with SFTPPlus version 3.24.0.
The vulnerability is a local one if Local Manager only accepts local connections, as configured by default.
Your SFTPPlus setup is not affected if you are not using the default-enabled "Store in database" event handler.
In order to audit for potential security breaches, parse the log files for events with ID 50026 and check them for any unauthorized access. Unfortunately, you can only identify unauthorized access by its timestamp.
No user data or passwords can be compromised this way. The usernames and file names are found in the logs and can be exposed to unauthorized parties.
To fix this security issue, you need to upgrade SFTPPlus to version 3.55.0.
If you can't upgrade right away, you should harden the configuration by deleting the "Store in database" event handlers. If you would rather keep using this feature without updating, make sure the Local Manager is only available through secured channels such as a VPN tunnel.
New Features
- Ubuntu 20.04 on x86_64 is now a supported platform. [#1512]
- The "Download as CSV" functionality from the Activity Log will now download only the entries selected by the active filters. [#4233]
- The embedded OpenSSL libraries on Windows, generic Linux, and macOS were updated to version 1.1.1g. [#5400]
- Red Hat Entreprise Linux 8 on X86_64 is now a supported platform. [#5324]
- The bundled OpenSSL libraries on Windows, SLES 11, and generic Linux distributions were updated to version 1.1.1g. [#5357]
Defect Fixes
- The "Download as CSV" link from the Local Manager no longer allows unauthenticated requests. [security][web-manager] [#4233]
Deprecations and Removals
- The macOS package no longer depends on the system-included LibreSSL libraries. On macOS, SFTPPlus now uses embedded OpenSSL libraries. [#5400]
- On SLES 11, RHEL 6, and other unsupported Linux distributions, SFTPPlus uses a generic glibc-based Linux runtime which includes OpenSSL 1.1.1 libraries. [#5312]
You can check the full release notes here.