Network-attached storage (NAS) appliance maker QNAP on Thursday said it can be investigating its lineup for probable influence arising from two security vulnerabilities that were being dealt with in the Apache HTTP server final month.
The critical flaws, tracked as CVE-2022-22721 and CVE-2022-23943, are rated 9.8 for severity on the CVSS scoring procedure and impact Apache HTTP Server versions 2.4.52 and earlier –
- CVE-2022-22721 – Doable buffer overflow with very large or unrestricted LimitXMLRequestBody
- CVE-2022-23943 – Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server
Both equally the vulnerabilities, alongside CVE-2022-22719 and CVE-2022-22720, were remediated by the venture maintainers as aspect of edition 2.4.53, which was shipped on March 14, 2022.
“Though CVE-2022-22719 and CVE-2022-22720 do not affect QNAP goods, CVE-2022-22721 affects 32-little bit QNAP NAS products, and CVE-2022-23943 has an effect on buyers who have enabled mod_sed in Apache HTTP Server on their QNAP machine,” the Taiwanese enterprise explained in an alert revealed this week.
In the absence of quickly available security updates, QNAP has made available workarounds, which include “holding the default value ‘1M’ for LimitXMLRequestBody” and disabling mod_sed, including that the mod_sed characteristic is disabled by default in Apache HTTP Server on NAS gadgets managing the QTS functioning procedure.
The advisory arrives practically a month soon after it disclosed that it truly is doing work to resolve an infinite loop vulnerability in OpenSSL (CVE-2022-0778, CVSS rating: 7.5) and unveiled patches for the Soiled Pipe Linux flaw (CVE-2022-0847, CVSS score: 7.8).
Found this post intriguing? Follow THN on Facebook, Twitter and LinkedIn to examine more special material we post.
Some parts of this article are sourced from:
thehackernews.com