Qnap Security Advisories Bulletin ID: QSA-23-18, QSA-23-19 and QSA-23-21
Concerning resolved vulnerabilities in QTS, QuTS hero, and QuTScloud NAS OSs
This is a Press Release edited by StorageNewsletter.com on September 20, 2023 at 2:01 pmQnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company products.
Use the following information and solutions to correct the security issues and vulnerabilities.
Advisory includes following:
- Vulnerability in QTS, QuTS hero, and QuTScloud (ID: QSA-23-18)
- Vulnerabilities in QTS, QuTS hero and QuTScloud (ID: QSA-23-19)
- Vulnerabilities in QTS, QuTS hero, QuTScloud (ID: QSA-23-21)
Vulnerability in QTS, QuTS hero, and QuTScloud
Security ID: QSA-23-18
Release date: September 16, 2023
Severity: High
CVE identifier: CVE-2023-23362
Affected products:
- QTS 5.0.1, 4.5.4; QuTS hero h5.0.1, h4.5.4; QuTScloud c5.0.1
Summary
An OS command injection vulnerability has been reported to affect certain Qnap OSs. If exploited, the vulnerability allows authenticated users to execute commands via network vector.
The company have already fixed the vulnerability in following versions:
- QTS 5.0.1.2376 build 20230421 and later
- QTS 4.5.4.2374 build 20230416 and later
- QuTS hero h5.0.1.2376 build 20230421 and later
- QuTS hero h4.5.4.2374 build 20230417 and later
- QuTScloud c5.0.1.2374 and later
Vulnerabilities in QTS, QuTS hero and QuTScloud
Security ID: QSA-23-19
Release date: September 16, 2023
Severity: Medium
CVE identifier: CVE-2023-23358 | CVE-2023-23359
Affected products:
-
QTS 5.0.1, 4.5.4; QuTS hero h5.0.1, h4.5.4; QuTScloud c5.0.1
Summary
Two out-of-bounds write vulnerabilities have been reported to affect multiple Qnap OSs. If exploited, the vulnerabilities allow authenticated users to launch a denial-of-service (DoS) attack via network vector.
The company have already fixed the vulnerability in following OSs versions:
- QTS 5.0.1.2346 build 20230322 and later
- QTS 4.5.4.2374 build 20230416 and later
- QuTS hero h5.0.1.2348 build 20230324 and later
- QuTS hero h4.5.4.2374 build 20230417 and later
- QuTScloud c5.0.1.2374 and later
Vulnerabilities in QTS, QuTS hero, QuTScloud
Security ID: QSA-23-21
Release date: September 16, 2023
Severity: Medium
CVE identifier: CVE-2023-23360 | CVE-2023-23361
Affected products:
- QTS 5.0.1, 4.5.4; QuTS hero h5.0.1, h4.5.4; QuTScloud c5.0.1
Summary
Two NULL pointer dereference vulnerabilities have been reported to affect multiple Qnap OSs. If exploited, the vulnerabilities allow authenticated users to launch a denial-of-service (DoS) attack via network vector.
The company have already fixed the vulnerabilities in the following OSs versions:
- QTS 5.0.1.2346 build 20230322 and later
- QTS 4.5.4.2374 build 20230416 and later
- QuTS hero h5.0.1.2348 build 20230324 and later
- QuTS hero h4.5.4.2374 build 20230417 and later
- QuTScloud c5.0.1.2374 and later
Questions regarding this issue, contact the company