Multiple Vulnerabilities in Netatalk

Summary

Upon the latest release of Netatalk 3.1.13, the Netatalk development team disclosed multiple fixed vulnerabilities affecting earlier versions of the software: CVE-2021-31439, CVE-2022-23121, CVE-2022-23123, CVE-2022-23122, CVE-2022-23125, CVE-2022-23124, and CVE-2022-0194.

These vulnerabilities currently affect the following QNAP operating system versions:

• QTS 5.0.x
• QTS 4.5.4
• QTS 4.3.6
• QTS 4.3.3
• QTS 4.2.6
• QuTS hero h5.0.x
• QuTS hero h4.5.4
• QuTScloud c5.0.x

We have already fixed the vulnerabilities in the following versions of QTS:

• QTS 5.0.1.2034 Build 20220515 and later
• QTS 5.0.0.2055 build 20220531 and later
• QTS 4.5.4.2012 build 20220419 and later
• QTS 4.3.6.2050 build 20220526 and later
• QTS 4.3.4.2107 build 20220712 and later
• QTS 4.3.3.2057 build 20220623 and later
• QTS 4.2.6 build 20220623 and later
• QuTS hero h5.0.0.2022 build 20220428 and later
• QuTS hero h4.5.4.2052 build 20220530 and later
• QuTScloud c5.0.1.2044 and later

QNAP is thoroughly investigating the case. We will release security updates for all affected QNAP operating system versions and provide further information as soon as possible.

Recommendation

To mitigate these vulnerabilities, disable AFP. We recommend users to check back and install security updates as soon as they become available.

Updating QTS, QuTS hero, or QuTScloud

1. Log on to QTS, QuTS hero, or QuTScloud as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   QTS, QuTS hero, or QuTScloud downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.