Qnap Security Advisory Bulletin ID: QSA-24-19 Vulnerability in XZ Utils
QTS, QuTS hero, and QuTScloud NAS OSs not affected
This is a Press Release edited by StorageNewsletter.com on April 4, 2024 at 2:00 pmQnap Systems, Inc. had published security enhancement vs. security vulnerabilities that could affect specific versions of the company’s products.
Use the following information and solutions to correct the security issues and vulnerabilities.
Vulnerability in XZ Utils
Security ID: QSA-24-19
Release date: April 2, 2024
CVE identifier: CVE-2024-3094
Severity: None
Status: Not affected
Affected products: N/A
Summary
A critical security vulnerability has been discovered in XZ Utils versions 5.6.0 and 5.6.1. It allows unauthorized remote access to systems via a backdoor embedded in the liblzma library. If exploited, users are at risk of unauthorized remote access to their systems.
QTS, QuTS hero, and QuTScloud NAS OSs are not affected.
Recommendation
To verify if your system is affected by the vulnerability, you can run the following command in SSH with administrator privileges:
-
xz --version
If the listed version is not 5.6.0 or 5.6.1, your system is secure. The company recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.
Revision history:
V1.0 (April 02, 2024) – Published
Contact: Questions regarding this issue