What are you looking for ?

Qnap Security Advisory Bulletin ID QSA-22-10 and QSA-22-11

Concerning multiple vulnerabilities in ISC BIND and multiple vulnerabilities in Apache HTTP server

Qnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of company’s products.

Use the following information and solutions to correct the security issues and vulnerabilities.

This advisory includes following:

Multiple vulnerabilities in ISC BIND
Release date: April 19, 2022
Security ID: QSA-22-10
Severity: Information
CVE identifier: CVE-2022-0667 | CVE-2022-0635 | CVE-2022-0396 | CVE-2021-25220
Not affected products: Qnap products
Status: Not affected

Internet Systems Consortium (ISC) recently disclosed multiple vulnerabilities in ISC BIND:

  • CVE-2022-0667: Assertion failure on delayed DS lookup

  • CVE-2022-0635: DNAME insist with synth-from-dnssec enabled

  • CVE-2022-0396: DoS from specifically crafted TCP packets

  • CVE-2021-25220: DNS forwarders – cache poisoning vulnerability

Qnap products are not affected. Learn more

Multiple Vulnerabilities in Apache HTTP Server
Release date: April 20, 2022
Security ID: QSA-22-11
Severity: Medium
CVE identifier: CVE-2022-22719 | CVE-2022-22720 | CVE-2022-22721 | CVE-2022-23943
Affected products: Certain Qnap NAS

The Apache Software Foundation and the Apache HTTP Server Project announced multiple vulnerabilities that have been fixed in their latest release of Apache HTTP server 2.4.53:

  • CVE-2022-22719: moderate: mod_lua: Use of uninitialized value of in r:parsebody

  • CVE-2022-22720: important: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier

  • CVE-2022-22721: low: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody

  • CVE-2022-23943: important: mod_sed: Read/write beyond bounds

While CVE-2022-22719 and CVE-2022-22720 do not affect Qnap products, CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod_sed in Apache HTTP server on their Qnap device.

The company is thoroughly investigating the two vulnerabilities that affect firm’s products, and will release security updates as soon as possible.

Learn more