WDC Tracking Number: WDC-22001
Published: January 13, 2022
Last Updated: January 13, 2022
My Cloud OS 3 Firmware 2.12.144 includes an update to help improve the security of your My Cloud OS 3 devices.
My Cloud OS 3 devices were vulnerable to a server-side request forgery. A crafted request uri-path could cause mod_proxy to forward the request to an origin server chosen by the remote user. This vulnerability affects the Apache HTTP Server 2.4.4.48 and earlier.
For customers with OS3 devices that are My Cloud OS 5 compatible:
On January 15, 2022, devices that are compatible with My Cloud OS 5 will no longer support prior generations of the My Cloud OS, including My Cloud OS 3. If your device is compatible, you must upgrade to My Cloud OS 5 to continue to access your device remotely. If you don't upgrade your device to My Cloud OS 5 by this deadline, you will only be able to access it locally. After January 15, 2022, remote access, security updates, and technical support will no longer be provided for My Cloud OS 3.
For customers with legacy My Cloud OS 3 devices:
On April 15, 2022, support for prior generations of My Cloud OS, including My Cloud OS 3, will end. If your device isn't compatible with My Cloud OS 5, you will lose remote access and will only be able to access it locally. Devices on these older firmware versions will not receive security fixes or technical support.
To help protect your content now, we recommend that you back up your device, disable remote access, disconnect it from the internet, and protect it with a strong, unique password.
We recommend that all eligible users upgrade to My Cloud OS 5 immediately to benefit from the latest security fixes.
Steps to upgrade to My Cloud OS 5 can be found here: https://support-en.wd.com/app/answers/detail/a_id/30092/
For more information on these My Cloud updates, please review: https://www.westerndigital.com/mycloudupdates
Addressed multiple Apache HTTP Server vulnerabilities by updating the version to 2.4.38-3+deb10u6.
CVE Number: CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438
Western Digital would like to thank Derek Abdine of Censys, Inc. for reporting this issue.