Qnap Security Advisory Bulletin ID: QSA-21-53 and QSA-21-62

Qnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s products.

Use the following information and solutions to correct the security issues and vulnerabilities.

Advisory includes following:

Exposure of sensitive information in QTS, QuTS hero, and QuTScloud
Release date: December 30, 2021
Security ID: QSA-21-53
Severity: Medium
CVE identifier: CVE-2021-34347
Affected products: All Qnap NAS

Summary
A vulnerability involving exposure of sensitive information has been reported to affect the firm’s NAS running QTS, QuTS hero, and QuTScloud. If exploited, this vulnerability allows attackers to compromise the security of the system.

The company have already fixed this vulnerability in following versions of QTS, QuTS hero, and QuTScloud:

QTS 4.5.4.1787 build 20210910 and later
QuTS hero h4.5.4.1771 build 20210825 and later
QuTScloud c4.5.7.1864 and later

Informations

Vulnerabilities in Apache HTTP Server
Release date: December 30, 2021
Security ID: QSA-21-62
CVE identifier: CVE-2021-44224 | CVE-2021-44790
Affected products: None
Not affected products: QTS, QuTS hero, and QuTScloud

Summary
The Apache Software Foundation has reported two vulnerabilities affecting Apache HTTP Server. If exploited, one of the vulnerabilities may allow a remote attacker to take control of the affected system:

CVE-2021-44224: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier
CVE-2021-44790: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier

The company have determined that the QTS, QuTS hero, and QuTScloud operating systems are not affected.

Informations

Contact Qnap Service Portal