Network-attached storage (NAS) equipment maker QNAP on Thursday mentioned it is investigating its lineup for potential affect arising from two safety vulnerabilities that had been addressed within the Apache HTTP server final month.
The important flaws, tracked as CVE-2022-22721 and CVE-2022-23943, are rated 9.8 for severity on the CVSS scoring system and affect Apache HTTP Server variations 2.4.52 and earlier –
- CVE-2022-22721 – Possible buffer overflow with very massive or limitless LimitXMLRequestBody
- CVE-2022-23943 – Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server
Both the vulnerabilities, alongside CVE-2022-22719 and CVE-2022-22720, had been remediated by the mission maintainers as a part of model 2.4.53, which was shipped on March 14, 2022.
“While CVE-2022-22719 and CVE-2022-22720 do not affect QNAP products, CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod_sed in Apache HTTP Server on their QNAP device,” the Taiwanese firm mentioned in an alert printed this week.
In the absence of available safety updates, QNAP has supplied workarounds, together with “keeping the default value ‘1M’ for LimitXMLRequestBody” and disabling mod_sed, including that the mod_sed function is disabled by default in Apache HTTP Server on NAS gadgets operating the QTS working system.
The advisory comes almost a month after it disclosed that it is working to resolve an infinite loop vulnerability in OpenSSL (CVE-2022-0778, CVSS rating: 7.5) and launched patches for the Dirty Pipe Linux flaw (CVE-2022-0847, CVSS rating: 7.8).