QNAP, a maker of network-attached storage (NAS) appliances, said Thursday that it is investigating its product line for possible impact from two Apache HTTP server security vulnerabilities that were addressed last month.
CVE-2022-22721 and CVE-2022-23943 are two critical flaws that affect Apache HTTP Server versions 2.4.52 and earlier and are rated 9.8 on the CVSS scoring system.
- CVE-2022-22721 - Possible buffer overflow with very large or unlimited LimitXMLRequestBody
- CVE-2022-23943 - Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server
On March 14th, 2022, the project maintainers released version 2.4.53, which included fixes for these three vulnerabilities and CVE-2022-22719 and CVE-2022-22720.
"While CVE-2022-22719 and CVE-2022-22720 do not affect QNAP products, CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod sed in Apache HTTP Server on their QNAP device," the Taiwanese company said in an alert this week.
When there are no security updates available, QNAP provides workarounds, such as retaining "the default value '1M' for LimitXMLRequestBody" and disabling mod sed, which is disabled by default in Apache HTTP Server on NAS devices running the QTS operating system.
OpenSSL's infinite loop vulnerability (CVE-2022-0778, CVSS score: 7.5) and the Dirty Pipe Linux flaw were disclosed and patches were released within the month prior to this advisory's publication date (CVE-2022-0847, CVSS score: 7.8).
Post a Comment
Your suggestions and comments are welcome