Qnap Security Advisories QSA-23-12, QSA-23-25, QSA-23-29 for Resolved Vulnerabilities
Concerning Apache HTTP Server, Legacy QTS Oss, and Multimedia Console using in NAS
This is a Press Release edited by StorageNewsletter.com on September 27, 2023 at 2:00 pmQnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s products. Use the following information and solutions to correct the security issues and vulnerabilities.
Advisory includes following:
- Vulnerabilities in Apache HTTP Server (ID: QSA-23-12)
- Vulnerability in Legacy QTS (ID: QSA-23-25)
- Vulnerability in Multimedia Console (ID: QSA-23-29)
Resolved Vulnerabilities in Apache HTTP Server
Security ID: QSA-23-12
Release date: September 22, 2023
CVE identifier: CVE-2006-20001; CVE-2022-36760; CVE-2022-37436
Affected products: QTS 5.1.0, QuTS hero h5.1.0, QuTScloud c5.0.1
Summary
Multiple vulnerabilities in Apache HTTP Server have been reported to affect certain Qnap OSs.
The company have already fixed vulnerabilities in following versions:
-
QTS 5.1.0.2348 build 20230325 and later
-
QuTS hero h5.1.0.2392 build 20230508 and later
-
QuTScloud c5.0.1.2374 and later
Resolved Vulnerability in Legacy QTS
Security ID: QSA-23-25
Release date: September 22, 2023
CVE identifier: CVE-2023-23363
Affected products: QTS 4.3.6, 4.3.4, 4.3.3, 4.2.6
Summary
A buffer copy without checking size of input vulnerability has been reported to affect certain legacy versions of QTS. If exploited, the vulnerability could allow clients to execute code via unspecified vectors.
The company have already fixed vulnerability in following versions:
-
QTS 4.3.6.2441 build 20230621 and later
-
QTS 4.3.4.2451 build 20230621 and later
-
QTS 4.3.3.2420 build 20230621 and later
-
QTS 4.2.6 build 20230621 and later
QTS versions 4.4.x, 4.5.x, and 5.x are not affected. QuTS hero is also not affected.
Resolved Vulnerability in Multimedia Console
Security ID: QSA-23-29
Release date: September 22, 2023
CVE identifier: CVE-2023-23364
Affected products: Multimedia Console 2.1, 1.4
Summary
A buffer copy without checking size of input vulnerability has been reported to affect certain versions of Multimedia Console. If exploited, the vulnerability could allow clients to execute code via unspecified vectors.
The company have already fixed vulnerability in following versions:
- Multimedia Console 2.1.1 (2023/03/29) and later
- Multimedia Console 1.4.7 (2023/03/20) and later
Questions regarding this issue (contact)