QNAP Advises Users to Update NAS Firmware to Patch Apache HTTP Vulnerabilities

Network-attached storage (NAS) appliance maker QNAP on Thursday said it’s investigating its lineup for potential impact arising from two security vulnerabilities that were addressed in the Apache HTTP server last month.

The critical flaws, tracked as CVE-2022-22721 and CVE-2022-23943, are rated 9.8 for severity on the CVSS scoring system and impact Apache HTTP Server versions 2.4.52 and earlier –

  • CVE-2022-22721 – Possible buffer overflow with very large or unlimited LimitXMLRequestBody
  • CVE-2022-23943 – Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server

Both the vulnerabilities, alongside CVE-2022-22719 and CVE-2022-22720, were remediated by the project maintainers as part of version 2.4.53, which was shipped on March 14, 2022.

“While CVE-2022-22719 and CVE-2022-22720 do not affect QNAP products, CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod_sed in Apache HTTP Server on their QNAP device,” the Taiwanese company said in an alert published this week.

In the absence of readily available security updates, QNAP has offered workarounds, including “keeping the default value ‘1M’ for LimitXMLRequestBody” and disabling mod_sed, adding that the mod_sed feature is disabled by default in Apache HTTP Server on NAS devices running the QTS operating system.

The advisory comes nearly a month after it disclosed that it’s working to resolve an infinite loop vulnerability in OpenSSL (CVE-2022-0778, CVSS score: 7.5) and released patches for the Dirty Pipe Linux flaw (CVE-2022-0847, CVSS score: 7.8).

Related Articles

Back to top button