Multiple Vulnerabilities in Apache HTTP Server

Summary

The Apache Software Foundation and the Apache HTTP Server Project announced multiple vulnerabilities that have been fixed in their latest release of Apache HTTP Server 2.4.53 (https://httpd.apache.org/security/vulnerabilities_24.html#2.4.53):

• CVE-2022-22719: moderate: mod_lua: Use of uninitialized value of in r:parsebody
• CVE-2022-22720: important: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier
• CVE-2022-22721: low: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody
• CVE-2022-23943: important: mod_sed: Read/write beyond bounds

Although QNAP NAS operating systems use Apache HTTP Server, no QNAP NAS models are affected as long as they retain their default configurations:

• CVE-2022-22719: Not Affected
• CVE-2022-22720: Not Affected
• CVE-2022-22721: Only affects 32-bit QNAP NAS models if the default LimitXMLRequestBody value has been increased over 350,000,000 by the user.
• CVE-2022-23943: Only affects users who have enabled mod_sed in Apache HTTP Server (otherwise disabled by default).

We have already fixed the vulnerabilities in the following versions of QTS:

• QTS 5.0.0.2055 build 20220531 and later
• QTS 4.5.4.2125 build 20220810 and later
• QuTS hero h5.0.0.2069 build 20220614 and later
• QuTS hero h4.5.4.2052 build 20220530 and later

Recommendation

Security updates for QTS, QuTS hero, and QuTScloud 5.0.x and 4.5.4 will be released soon. We recommend users check back and install security updates as soon as they become available. For legacy versions, please follow the below instructions to mitigate the vulnerabilities.

To mitigate CVE-2022-22721, we recommend keeping the default value "1000000" for LimitXMLRequestBody.

To mitigate CVE-2022-23943, disable mod_sed.

Checking the LimitXMLRequestBody Value

1. Connect to your NAS via SSH.
2. Enter the following command:
   • cd /etc; grep LimitXMLRequestBody * -r
3. Verify that there are no results. If results appear, verify the associated value is lower than 350,000,000.
   This means that your system is safe from CVE-2022-22721.

Configuring LimitXMLRequestBody

1. Connect to your NAS via SSH.
2. Enter the following command:
   • cd /etc; grep LimitXMLRequestBody * -r
3. For each result, open the configuration file listed. 
   For example, if the path is "/etc/config/apache/apache.conf", enter "vi /etc/config/apache/apache.conf".
4. Search "LimitXMLRequestBody" and change the value to "1000000".
   Tip: Press i to start editing the file. Press ESC and then type ":wq" to save and exit.
5. Reload Apache HTTP Server by entering the following commands:
   • /etc/init.d/thttpd.sh reload
   • /etc/init.d/stunnel.sh reload

Checking the mod_sed Configuration

1. Connect to your NAS via SSH.
2. Enter the following command:
   • /usr/local/apache/bin/apachectl -M | grep mod_sed
3. Verify that there are no results.
   This means that mod_sed is disabled and your system is currently safe from CVE-2022-23943.

Disabling mod_sed

1. Connect to your NAS via SSH.
2. Enter the following command:
   • cd /etc; grep mod_sed * -r
3. For each result, open the configuration file listed.
   For example, if the listed path is "/etc/config/apache/apache.conf", enter "vi /etc/config/apache/apache.conf".
4. Comment out the LoadModule directive by adding "#" at the beginning of the line:
   Tip: Press i to start editing; press ESC and then type ":wq" to save and exit.
   • #LoadModule mod_sed /usr/local/apache/modules/mod_sed.so
5. Reload Apache HTTP Server by entering the following commands:
   • /etc/init.d/thttpd.sh reload
   • /etc/init.d/stunnel.sh reload