General description

Version 3.21.0 includes a fixes to a security issue related to the execution of the FTP LIST command for an OS account. This security issue was introduced in 3.17.0.

Users that are on SFTPPlus version 3.17.0 are encouraged to upgrade to the latest version containing the fix, 3.21.0.

Environments that use both OS and application accounts are affected.

Environments that only use SFTP, that only use application accounts or only use OS accounts exclusively are not affected.

An upgrade to 3.21.0 is recommended for any older version running on Linux or Unix.

An upgrade for the Windows version of SFTPPlus is not required.

Overview of the fix

When executing the FTP LIST command for an OS account, it will no longer put on hold the whole SFTPPlus process running under that OS account while the LIST command is executed.

In this case, if the command is executed under the OS account and during that command execution, a file is uploaded by the application account, the command is not on hold and subsequently the uploaded file is owned by the application account.

Alternatively, if a command is executed towards an account (such as an FTP LIST command), SFTPPlus is still responsive and can accept new connections and perform other operations. This is the case even if there is a connection timeout configured with the service - the connection (both data and commands) should not be closed as it processes the commands.

In addition, should there be a log rotation occurring during the list process, the log process should also be owned by the SFTPPlus process account and not the OS account.

You can check the full release notes here.