Summary

An infinite loop vulnerability in OpenSSL has been reported to affect certain QNAP devices. If exploited, the vulnerability allows attackers to conduct denial-of-service attacks.

The following operating system versions are affected:

• QTS 5.0.x
• QTS 4.5.4
• QTS 4.3.6
• QTS 4.3.3
• QTS 4.2.6
• QuTS hero h5.0.x
• QuTS hero h4.5.4
• QuTScloud c5.0.x
• QNE Network 1.0.x
• QNE ADRA 1.0.x

We have already fixed the vulnerability in the following operating system versions:

• QTS 5.0.1.2034 build 20220515 and later
• QTS 5.0.0.2055 build 20220531 and later
• QTS 4.5.4.2012 build 20220419 and later
• QTS 4.3.6.2050 build 20220526 and later
• QTS 4.3.4.2107 build 20220712 and later
• QTS 4.3.3.2057 build 20220623 and later
• QTS 4.2.6 build 20220623 and later
• QuTS hero h5.0.0.2022 build 20220428 and later
• QuTS hero h4.5.4.2052 build 20220530 and later
• QuTScloud c5.0.1.2044 and later
• QNE Network 1.0.3.q541 and later
• QNE ADRA 1.0.3.q541 and later

Recommendation

Currently there is no mitigation available for this vulnerability. We recommend users to install security updates as soon as they become available.

Updating QTS, QuTS hero, or QuTScloud

1. Log on to QTS, QuTS hero, or QuTScloud as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Click Check for Updates.
   QTS, QuTS hero, or QuTScloud downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

Updating QNE Network or QNE ADRA

1. Log on to QNE Network or QNE ADRA as administrator.
2. Go to Control Panel > System > System Update > Firmware Update.
3. Click Check for Update.
   QNE Network or QNE ADRA downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.