FreeNAS 12.0-U8 Vulnerabilities on httpd and openSSL

L

llaeti

Cadet
Joined
Mar 18, 2022
Messages
1
Hello,

I noticed that TrueNAS 12.0-U8 may be vulnerable to CVE-2021-41524, CVE-2021-41773 (Apache httpd vulnerabilities) and CVE-2021-41617 (Openssh) and wanted to check the correct steps to mitigate them.

The Apache httpd vulnerabilities have a CVSS v3 score of 7.5 (high) and appear to be exploitable with Metasploit.
The OpenSSH vulnerability is rated with a CVSS v3 score of 7.0.

1) Is TrueNAS really vulnerable?
2) Is there a patch available or planned in the next release?
3) How to mitigate it?

Thank you for your answer.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
httpd is only used for webdav service. According to FreeBSD's vulnxml database the CVEs about it were fixed in apache version 2.4.50. We are on 2.4.51_2.

We don't expose the options affected by CVE-2021-41617.
 
You must log in or register to reply here.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "FreeNAS 12.0-U8 Vulnerabilities on httpd and openSSL"

Similar threads

S
CVE-2021-44142: Versions of Samba prior to 4.13.17 Vuln
Replies
6
Views
2K
anodos
anodos
eturgeon
TrueNAS 12.0-U8 Released
2
Replies
35
Views
11K
NASbox
N
Z
  • Locked
Nextcloud jail and openssl version
Replies
4
Views
4K
zoomzoom
zoomzoom
N
  • Locked
HOW-TO: NextCloud 10 w/ Apache, PHP, and MariaDB
2 3 4 5 6
Replies
112
Views
74K
pakka
P
Top