Security News > 2022 > April > QNAP asks users to mitigate critical Apache HTTP Server bugs
QNAP has asked customers to apply mitigation measures to block attempts to exploit Apache HTTP Server security vulnerabilities impacting their network-attached storage devices.
The flaws were tagged as critical with severity base scores of 9.8/10 and impact systems running Apache HTTP Server 2.4.52 and earlier.
QNAP is currently investigating the two security bugs and plans to release security updates in the near future.
"CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod sed in Apache HTTP Server on their QNAP device," the Taiwan-based NAS maker explained.
Until patches are available, QNAP advises customers to keep the default value "1M" for LimitXMLRequestBody to mitigate CVE-2022-22721 attacks and disable mod sed as CVE-2022-23943 mitigation.
The company also notes that the mod sed in-process content filter is disabled by default in Apache HTTP Server on NAS devices running the QTS operating system.
News URL
Related news
- Critical Zimbra RCE flaw exploited to backdoor servers using emails (source)
- Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications (source)
- GitHub Patches Critical Flaw in Enterprise Server Allowing Unauthorized Instance Access (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-03-14 | CVE-2022-23943 | Out-of-bounds Write vulnerability in multiple products Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. | 9.8 |
| 2022-03-14 | CVE-2022-22721 | Integer Overflow or Wraparound vulnerability in multiple products If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. | 9.1 |