QNAP Security Update Advisory (CVE-2023-47218, CVE-2023-50358)

Overview

 

QNAP (https://www.qnap.com/) has made available an update that fixes vulnerabilities in the products it has been made. Users of affected versions are advised to update to the latest version.

 

Affected Products

 

• QTS 5.x versions
• QTS 4.x versions
• QuTS hero h5.x versions
• QuTS hero h4.x versions
• QuTScloud 5.x versions

 

Resolved Vulnerabilities

 

OS command injection vulnerability that could allow command execution over the network originating from QNAP (CVE-2023-47218, CVE-2023-50358)

 

Vulnerability Patches

 

Vulnerability patches were made available in the February 13, 2024 update. Please update to the latest vulnerability patch version as per the reference site.

• QTS 5.1.0.2444 build 20230629 or later
• QTS 5.0.1.2145 build 20220903 or later
• QTS 5.0.0.1986 build 20220324 or later
• QTS 4.5.4.2012 build 20220419 or later
• QTS 4.3.6.2665 build 20240131 or later
• QTS 4.3.4.2675 build 20240131 or later
• QTS 4.3.3.2644 build 20240131 or later
• QTS 4.2.6 build 20240131 or later
• QuTS hero h5.1.0.2466 build 20230721 or later
• QuTS hero h5.0.1.2192 build 20221020 or higher
• QuTS hero h5.0.0.1986 build 20220324 or later
• QuTS hero h4.5.4.1991 build 20220330 or higher

 

Referenced Sites

 

[1] CVE-2023-47218 Detail
https://nvd.nist.gov/vuln/detail/CVE-2023-47218
[2] CVE-2023-50358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50358
[3] Multiple Vulnerabilities in QTS, QuTS hero and QuTScloud
https://www.qnap.com/en/security-advisory/qsa-23-57