Security Advisory Description
Cerberus FTP Server contains a flaw that may allow malformed HTTP requests to crash the service. Malicious actors could leverage this flaw to repeatedly crash the server, thereby denying access to legitimate users.
Fix
Cerberus FTP Server versions 11.0.8 and 10.0.22 fix this issue.
Scope
- This issue only impacts Web Client and Web Admin over HTTP and HTTPS listeners. FTP(S), SFTP, and other protocols are unaffected.
- This issue impacts Cerberus FTP Server Standard Edition and higher. Personal Edition is unaffected, as this edition does not support Web Client or Web Admin.
Known Affected Versions
- 11.0 releases prior to 11.0.8
- 10.0 releases prior to 10.0.22
- 9.0 and earlier are also affected. These versions are out of support and no longer receive updates.
Mitigation
Cerberus Administrators are urged to upgrade to the fixed versions or higher as soon as possible.
Until the fix can be applied, Cerberus Administrators may mitigate exposure to this issue by disabling HTTP(S) listeners and limiting access to HTTP(S) listeners to well-known IP addresses.