Network-attached storage space (NAS) device manufacturer QNAP on Thursday stated it’s exploring its schedule for possible influence occurring from 2 safety susceptabilities that were attended to in the Apache HTTP web server last month.
The essential problems, tracked as CVE-2022-22721 and CVE-2022-23943, are ranked 9.8 for seriousness on the CVSS racking up system and also influence Apache HTTP Web server variations 2.4.52 and also earlier –
- CVE-2022-22721 – Feasible barrier overflow with huge or endless LimitXMLRequestBody
- CVE-2022-23943 – Out-of-bounds Create susceptability in mod_sed of Apache HTTP Web Server
Both the susceptabilities, together with CVE-2022-22719 and also CVE-2022-22720, were remediated by the job maintainers as component of version 2.4.53, which was delivered on March 14, 2022.
” While CVE-2022-22719 and also CVE-2022-22720 do not influence QNAP items, CVE-2022-22721 impacts 32-bit QNAP NAS versions, and also CVE-2022-23943 impacts individuals that have actually made it possible for mod_sed in Apache HTTP Web Server on their QNAP gadget,” the Taiwanese business said in a sharp released today.
In the lack of easily offered safety updates, QNAP has actually used workarounds, consisting of “maintaining the default worth ‘1M’ for LimitXMLRequestBody” and also disabling mod_sed, including that the mod_sed function is disabled by default in Apache HTTP Web server on NAS gadgets running the QTS os.
The advisory comes almost a month after it divulged that it’s functioning to settle a limitless loophole susceptability in OpenSSL (CVE-2022-0778, CVSS rating: 7.5) and also launched spots for the Dirty Pipeline Linux defect (CVE-2022-0847, CVSS rating: 7.8).