Security News > 2022 > April > QNAP Advises Users to Update NAS Firmware to Patch Apache HTTP Vulnerabilities

QNAP Advises Users to Update NAS Firmware to Patch Apache HTTP Vulnerabilities
2022-04-22 01:15

Network-attached storage appliance maker QNAP on Thursday said it's investigating its lineup for potential impact arising from two security vulnerabilities that were addressed in the Apache HTTP server last month.

The critical flaws, tracked as CVE-2022-22721 and CVE-2022-23943, are rated 9.8 for severity on the CVSS scoring system and impact Apache HTTP Server versions 2.4.52 and earlier -.

CVE-2022-22721 - Possible buffer overflow with very large or unlimited LimitXMLRequestBody.

CVE-2022-23943 - Out-of-bounds Write vulnerability in mod sed of Apache HTTP Server.

"While CVE-2022-22719 and CVE-2022-22720 do not affect QNAP products, CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod sed in Apache HTTP Server on their QNAP device," the Taiwanese company said in an alert published this week.

In the absence of readily available security updates, QNAP has offered workarounds, including "Keeping the default value '1M' for LimitXMLRequestBody" and disabling mod sed, adding that the mod sed feature is disabled by default in Apache HTTP Server on NAS devices running the QTS operating system.


News URL

https://thehackernews.com/2022/04/qnap-advises-users-to-update-nas.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-03-14 CVE-2022-23943 Out-of-bounds Write vulnerability in multiple products
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data.
network
low complexity
apache fedoraproject debian oracle CWE-787
critical
9.8
2022-03-14 CVE-2022-22721 Integer Overflow or Wraparound vulnerability in multiple products
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes.
network
low complexity
apache fedoraproject debian oracle apple CWE-190
critical
9.1
2022-03-14 CVE-2022-22720 HTTP Request Smuggling vulnerability in multiple products
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling
network
low complexity
apache fedoraproject debian oracle apple CWE-444
critical
9.8
2022-03-14 CVE-2022-22719 Improper Initialization vulnerability in multiple products
A carefully crafted request body can cause a read to a random memory area which could cause the process to crash.
network
low complexity
apache debian fedoraproject oracle apple CWE-665
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apache 281 13 549 713 367 1642
Qnap 80 4 97 122 76 299