Multiple Vulnerabilities in Apache HTTP Server

Summary

Multiple vulnerabilities have been reported to affect Apach HTTP Server:

• Medium, CVE-2022-26377: Possible request smuggling
• Not affected, CVE-2022-28330: Read beyond bounds in mod_isapi
• Low, CVE-2022-28614: Read beyond bounds via ap_rwrite()
• Low, CVE-2022-28615: Read beyond bounds in ap_strcmp_match()
• Low, CVE-2022-29404: Denial of service in mod_lua r:parsebody
• Low, CVE-2022-30522: mod_sed denial of service
• Low, CVE-2022-30556: Information Disclosure in mod_lua with websockets
• Low, CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism

Product Status

The following QNAP operating systems have been affected:

• QTS 5.0.1
• QTS 5.0.0
• QTS 4.5.x/4.4.x
• QTS 4.3.x
• QuTS hero h5.0.1
• QuTS hero h5.0.0
• QuTS hero h4.5.x
• QuTScloud c5.0.1

We have already fixed the vulnerabilities in the following versions:

• QTS 5.0.0.2131 build 20220815 and later
• QTS 4.5.4.2125 build 20220810 and later

Recommendation

To secure your QNAP NAS, we strongly recommend the following actions:

• Do not expose your NAS to the internet.
• If you enabled myQNAPcloud, set up myQNAPcloud on the NAS to enable secure remote access.
• Update your operating system to the latest version.

Reducing Internet Exposure

1. Log in to your router.
2. Disable the UPnP and DMZ functions.
3. Disable all port forwarding rules.
4. Use a VPN to reduce exposure of NAS services to the internet. 
   For details, refer to this document.

Setting Up myQNAPcloud on the NAS 

1. Log on to QTS, QuTS hero, or QuTScloud as an administrator. 
2. Open myQNAPcloud. 
3. Disable UPnP port forwarding. 
   1. Go to Auto Router Configuration. 
   2. Deselect Enable UPnP Port forwarding. 
4. Enable DDNS. 
   1. Go to My DDNS.  
   2. Click the toggle button to enable My DDNS. 
5. Do not publish your NAS services. 
   1. Go to Published Services.  
   2. Deselect all items under Publish. 
   3. Click Apply. 
6. Configure myQNAPcloud Link to enable secure remote access to your NAS via a SmartURL. 
   1. Go to myQNAPcloud Link. 
   2. Click Install to install myQNAPcloud Link on your NAS. 
   3. Click the toggle button to enable myQNAPcloud Link. 
7. Restrict which users who can remotely access your NAS via the SmartURL. 
   1. Go to Access Control. 
   2. Next to Device access controls, select Private or Customized. 
      Note: Selecting Private allows only the QNAP ID logged in to myQNAPcloud to access the NAS via the SmartURL. Selecting Customized allows you to invite other QNAP ID accounts to access the device via the SmartURL. 
   3. If you selected Customized, click Add and specify a QNAP ID to invite the user. 
8. Obtain the SmartURL by going to Overview. 
   For questions on using myQNAPcloud, visit https://support.myqnapcloud.com/. 

Updating QTS, QuTS hero or QuTScloud

1. Log on to QTS, QuTS hero or QuTScloud as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   QTS, QuTS hero or QuTScloud downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.