Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Virtualizor Security Concern
New on LowEndTalk? Please Register and read our Community Rules.

Virtualizor Security Concern

Has anyone had any security issues recently with Virtualizor?

Got this today:

Dear valued customer,

We are writing to inform you of an important security update that is available for your panel. It is crucial that you update your panel version as soon as possible to protect against any potential security vulnerabilities.

If you have already upgraded to 3.1.5 then you can ignore this email.

Virtualizor updates every 24 hours automatically by default. However, if you have disabled auto upgrades, please update ASAP.

The update addresses a critical security issue and we strongly recommend that you apply it to your panel without delay.

Please follow these instructions to update your panel:

Log in to Virtualizor Admin panel
Navigate to the Configuration -> Updates page
Click on the "Update" button

Please follow the guide to update your panel:
https://www.virtualizor.com/docs/admin/update-virtualizor/

If you have any difficulty updating your panel, please contact our support team for assistance.

Please note that failure to update your panel may leave your system vulnerable to security threats. We take the security of our ustomers very seriously and apologize for any inconvenience this may cause.

Thank you for your cooperation and please let us know if you have any questions.

Sincerely,
Virtualizor Team

ALSO LIVE CHAT RESPONSE:

"For the time being for the safety of all our user base we are unable to disclose the information. We will disclose at a future date. However, the security issue is critical and we urge everyone to upgrade ASAP."

Comments

  • They forgot to remove default mysql user ?

  • MannDudeMannDude Member, Patron Provider

    Shit happens.

    No software is immune from vulnerabilities. Went ahead and pushed the update/patch so as to not wait for the auto-update cycle.

    Thanked by 1AuroraZero
  • They won't divulge any more info they have just said it was "critical".

    I guess they do not want bad rep, or give information as to what the security/exploit was.

  • Why should this affect their reputation negatively?

    Imho, it's actually a good sign that you get proactively informed by them via mail about an ongoing security issue, despite that they have their auto updater enabled by default.

    Further, I think it's good to not disclose information on a critical issue too early, as it might increase actual attacks on instances that aren't being updated by the admins. This is how it should be handled, if I'm honest.

    Thanked by 1noobjockeys
  • @Pilzbaum said: Why should this affect their reputation negatively?

    Maybe at this stage, it won't, but I would expect once they have confirmed all vulnerable versions are updated they will.

    The same way CVEs are made public?

Sign In or Register to comment.