Multiple Vulnerabilities in Apache Log4j Library

Summary

Several vulnerabilities have been reported to affect the Apache Log4j Java logging library. If exploited, these vulnerabilities allow attackers to execute arbitrary code. The vulnerabilities were disclosed in December 2021:

• CVE-2021-44228: Apache Log4j 2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints
• CVE-2021-45046: Apache Log4j 2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack
• CVE-2021-45105: Apache Log4j 2 does not always protect from infinite recursion in lookup evaluation
• CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2

We have determined that the QTS, QuTS hero, and QES operating systems are not affected.
For applications which depend on Java Runtime Environment, our findings are as follows.

Applications maintained by QNAP:

• Qsirch - Not affected

Applications maintained by a third-party provider:

• Tomcat (Adnovea) - Affected. Disabled in App Center.
• Tomcat8 (Adnovea) - Affected. Disabled in App Center.
• SuperSync iTunes Media Manager (SuperSync) - The vendor has not responded. Disabled in App Center.
• MinimServer (Simon Nash) - Not affected
• WorldCard Team (PenPower Technology Ltd.) - Not affected
• nConnect (NKN.org) - Not affected

Recommendation

For users running any of the applications that are affected by the vulnerabilities, we strongly recommend taking the following actions to protect your device:

1. Stop the application temporarily.
2. Do not expose your NAS to the internet, or avoid using default system port numbers 443 and 8080.

To fully secure your device, we highly recommend reading the following article: What is the best practice for enhancing NAS security?

Stopping an Application

1. Log on to QTS or QuTS hero as administrator.
2. Open the App Center and then click .
   A search box appears.
3. Enter the application name.
   The application appears in the search results.
4. Click the arrow below the application icon and then select Stop.
   QTS or QuTS hero stops the application.

Changing the System Port Number

1. Log on to QTS or QuTS hero as administrator.
2. Go to Control Panel > System > General Settings > System Administration.
3. Specify a new system port number.
   Warning: Do not use 443 or 8080.
4. Click Apply.
   QTS or QuTS hero applies the new system port number.