Security News > 2022 > April > QNAP asks users to mitigate critical Apache HTTP Server bugs
QNAP has asked customers to apply mitigation measures to block attempts to exploit Apache HTTP Server security vulnerabilities impacting their network-attached storage devices.
The flaws were tagged as critical with severity base scores of 9.8/10 and impact systems running Apache HTTP Server 2.4.52 and earlier.
QNAP is currently investigating the two security bugs and plans to release security updates in the near future.
"CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod sed in Apache HTTP Server on their QNAP device," the Taiwan-based NAS maker explained.
Until patches are available, QNAP advises customers to keep the default value "1M" for LimitXMLRequestBody to mitigate CVE-2022-22721 attacks and disable mod sed as CVE-2022-23943 mitigation.
The company also notes that the mod sed in-process content filter is disabled by default in Apache HTTP Server on NAS devices running the QTS operating system.
News URL
Related news
- QNAP warns of critical auth bypass flaw in its NAS devices (source)
- New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks (source)
- New HTTP/2 DoS attack can crash web servers with a single connection (source)
- A critical vulnerability in Delinea Secret Server allows auth bypass, admin access (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-03-14 | CVE-2022-23943 | Out-of-bounds Write vulnerability in multiple products Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. | 9.8 |
| 2022-03-14 | CVE-2022-22721 | Integer Overflow or Wraparound vulnerability in multiple products If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. | 9.1 |