What are you looking for ?
Mobile Search Icon
Mobile Menu Icon
Infinidat
Articles_top

Qnap Security Advisory | Bulletin ID: QSA-21-58

Concerning vulnerability in Apache Log4j library

This is a Press Release edited by StorageNewsletter.com on December 16, 2021 at 2:01 pm

Qnap systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of Qnap products.

Use the following information and solutions to correct the security issues and vulnerabilities.

Vulnerability in Apache Log4j library
Release date: December 14, 2021
Security ID: QSA-21-58
CVE identifier: CVE-2021-44228
Affected products: Qnap NAS running certain applications

Summary
A vulnerability has been reported to affect the Apache Log4j Java logging library. If exploited, this vulnerability allows attackers to execute arbitrary code. The vulnerability was disclosed on December 9, 2021:

      • CVE-2021-44228: Apache Log4j 2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints

The company have determined that the QTS and QuTS hero operating systems are not affected.

For applications which depend on Java Runtime Environment, our current findings are as follows.

Applications maintained by Qnap:

  • Qsirch – Not affected

Applications maintained by third-party provider:

  • MinimServer (Simon Nash) – Not affected

  • Tomcat (Adnovea) – Investigating

  • Tomcat8 (Adnovea) – Investigating

  • SuperSync iTunes Media Manager (SuperSync) – Investigating

  • WorldCard Team (PenPower Technology Ltd.) – Investigating

Recommendation
For users running any of the applications that are still under investigation, we strongly recommend taking the following actions to protect your device:

  1. Stop the application temporarily.

  2. Do not expose your NAS to the internet, or avoid using default system port numbers 443 and 8080.

To fully secure your device, the company highly recommend reading the following article: What is the best practice for enhancing NAS security?

Stopping an application

  1. Log on to QTS or QuTS hero as administrator.

  2. Open the App Center and then click. Qnap Loupe
    A search box appears.

  3. Enter the application name.
    The application appears in the search results.

  4. Click the arrow below the application icon and then select Stop.
    QTS or QuTS hero stops the application.

Changing system port number

  1. Log on to QTS or QuTS hero as administrator.

  2. Go to Control Panel>System>General Settings>System Administration.

  3. Specify a new system port number.
    Warning: Do not use 443 or 8080.

  4. Click Apply.
    QTS or QuTS hero applies the new system port number.

Revision History: V1.0 (December 14, 2021) – Published

Questions regarding this issue

Articles_bottom
AIC
ATTO
OPEN-E