PHP Vulnerability

Summary

A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx configuration. If exploited, the vulnerability allows attackers to gain remote code execution. 

For the vulnerability to be exploited, both nginx and php-fpm must be running. While QTS, QuTS hero, and QuTScloud do not have nginx installed by default, your QNAP NAS may still be affected if you have installed and are running nginx and php-fpm on your NAS.

If your QNAP NAS is running nginx and php-fpm, the vulnerability affects the following QNAP operating system versions:

• QTS 5.0.x
• QTS 4.5.x
• QuTS hero h5.0.x
• QuTS hero h4.5.x
• QuTScloud c5.0.x

We have already fixed this vulnerability in the following OS versions:

• QTS 5.0.1.2034 build 20220515 and later
• QTS 5.0.0.2131 build 20220815 and later
• QTS 4.5.4.2125 build 20220810 and later
• QuTS hero h5.0.0.2069 build 20220614 and later

We will release security updates for the remaining OS versions as soon as possible.

Recommendation

To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.

Updating QTS, QuTS hero, or QuTScloud

1. Log on to QTS, QuTS hero, or QuTScloud as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   QTS, QuTS hero, or QuTScloud downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.