Qnap Security Advisory Bulletin ID: QSA-21-53 and QSA-21-62
Concerning exposure of sensitive information in QTS, QuTS hero, and QuTScloud, and vulnerabilities in Apache HTTP server
This is a Press Release edited by StorageNewsletter.com on January 5, 2022 at 2:01 pmQnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s products.
Use the following information and solutions to correct the security issues and vulnerabilities.
Advisory includes following:
Exposure of sensitive information in QTS, QuTS hero, and QuTScloud
Release date: December 30, 2021
Security ID: QSA-21-53
Severity: Medium
CVE identifier: CVE-2021-34347
Affected products: All Qnap NAS
Summary
A vulnerability involving exposure of sensitive information has been reported to affect the firm’s NAS running QTS, QuTS hero, and QuTScloud. If exploited, this vulnerability allows attackers to compromise the security of the system.
The company have already fixed this vulnerability in following versions of QTS, QuTS hero, and QuTScloud:
-
QTS 4.5.4.1787 build 20210910 and later
-
QuTS hero h4.5.4.1771 build 20210825 and later
-
QuTScloud c4.5.7.1864 and later
Vulnerabilities in Apache HTTP Server
Release date: December 30, 2021
Security ID: QSA-21-62
CVE identifier: CVE-2021-44224 | CVE-2021-44790
Affected products: None
Not affected products: QTS, QuTS hero, and QuTScloud
Summary
The Apache Software Foundation has reported two vulnerabilities affecting Apache HTTP Server. If exploited, one of the vulnerabilities may allow a remote attacker to take control of the affected system:
-
CVE-2021-44224: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier
-
CVE-2021-44790: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier
The company have determined that the QTS, QuTS hero, and QuTScloud operating systems are not affected.