Java Deserialization RCE · SFTP Gateway Support

Overview

A security advisory CVE-2016-1000027 applies to recent versions of SFTP Gateway. A vulnerability in a dependency library exposes a way to perform remote code execution (RCE) against the web admin portal of SFTP Gateway.

We recommend that you take the following actions below.

Check your version of SFTP Gateway

This vulnerability only affects the following SFTP Gateway versions:

v3.4.0
v3.4.1
v3.4.2
v3.4.3

You can check the version of SFTP Gateway by scrolling to the footer of the web admin portal.

Alternatively, you can SSH into the VM and list the files in /opt/sftpgw/ which show the version in the file names.

Restrict port 443 to sysadmin IP addresses only

The web admin portal of SFTP Gateway should already be locked down to sysadmin IP addresses only, if configured according to our guidelines.

Take some time now to verify your network ingress rules on port 443, and make sure it is NOT open to the world. For example, remove any rules for HTTPS 443 that allow the range 0.0.0.0/0.

Also, update your existing port 443 rules to remove any stale entries.

Perform an in-place upgrade to version 3.4.4

The easiest way to upgrade would be to use our in-place upgrade script.

Note: you must already be on SFTP Gateway version 3 in order to perform an in-place upgrade.

Migrate to version 3.4.4

The safest way to perform an upgrade is to perform a migration.

This entails exporting a backup of your existing server, and importing the backup into a new instance of v3.4.4. Finally, perform an IP or DNS cutover to the new server.

Contact Support

If you run into any issues, you can reach out to us via email at support@thorntech.com.