Security News > 2022 > April > QNAP asks users to mitigate critical Apache HTTP Server bugs
QNAP has asked customers to apply mitigation measures to block attempts to exploit Apache HTTP Server security vulnerabilities impacting their network-attached storage devices.
The flaws were tagged as critical with severity base scores of 9.8/10 and impact systems running Apache HTTP Server 2.4.52 and earlier.
QNAP is currently investigating the two security bugs and plans to release security updates in the near future.
"CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod sed in Apache HTTP Server on their QNAP device," the Taiwan-based NAS maker explained.
Until patches are available, QNAP advises customers to keep the default value "1M" for LimitXMLRequestBody to mitigate CVE-2022-22721 attacks and disable mod sed as CVE-2022-23943 mitigation.
The company also notes that the mod sed in-process content filter is disabled by default in Apache HTTP Server on NAS devices running the QTS operating system.
News URL
Related news
- New critical Apache Struts flaw exploited to find vulnerable servers (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- QNAP addresses critical flaws across NAS, router software (source)
- Critical Flaw in ProjectSend Under Active Exploitation Against Public-Facing Servers (source)
- Apache issues patches for critical Struts 2 RCE bug (source)
- Critical security hole in Apache Struts under exploit (source)
- Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-03-14 | CVE-2022-23943 | Out-of-bounds Write vulnerability in multiple products Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. | 9.8 |
2022-03-14 | CVE-2022-22721 | Integer Overflow or Wraparound vulnerability in multiple products If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. | 9.1 |