Qualys wrongly identifies Serv-U's as SSH Secure Shell. The vulnerability is for a completely different product. Here is the CVE for the vulnerability:
We have a FAQ describing the problem: http://www.serv-u.com/kb/2147/False-SSH-Security-Warning
Serv-U identifies itself to SSH clients as "SSH-2.0-Serv-U_15". The first part identifies to clients to use version 2 of the SSH protocol. The last part identifies the server software and version. Certain security tools or firms interpret this string as identifying the software as SSH Secure Shell v2, but the security warning which is issued is a false positive..
Serv-U does not use the incorrectly identified version of SSH, and using Serv-U poses no security threat.