Security News > 2022 > April > QNAP asks users to mitigate critical Apache HTTP Server bugs

QNAP asks users to mitigate critical Apache HTTP Server bugs
2022-04-21 17:03

QNAP has asked customers to apply mitigation measures to block attempts to exploit Apache HTTP Server security vulnerabilities impacting their network-attached storage devices.

The flaws were tagged as critical with severity base scores of 9.8/10 and impact systems running Apache HTTP Server 2.4.52 and earlier.

QNAP is currently investigating the two security bugs and plans to release security updates in the near future.

"CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod sed in Apache HTTP Server on their QNAP device," the Taiwan-based NAS maker explained.

Until patches are available, QNAP advises customers to keep the default value "1M" for LimitXMLRequestBody to mitigate CVE-2022-22721 attacks and disable mod sed as CVE-2022-23943 mitigation.

The company also notes that the mod sed in-process content filter is disabled by default in Apache HTTP Server on NAS devices running the QTS operating system.


News URL

https://www.bleepingcomputer.com/news/security/qnap-asks-users-to-mitigate-critical-apache-http-server-bugs/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-03-14 CVE-2022-23943 Out-of-bounds Write vulnerability in multiple products
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data.
network
low complexity
apache fedoraproject debian oracle CWE-787
critical
9.8
2022-03-14 CVE-2022-22721 Integer Overflow or Wraparound vulnerability in multiple products
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes.
network
low complexity
apache fedoraproject debian oracle apple CWE-190
critical
9.1

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apache 305 59 859 659 313 1890
Qnap 96 16 126 133 34 309