Support Product Security

My Cloud Firmware Version 5.23.114

WDC Tracking Number: WDC-22011
Product Line: My Cloud
Published: July 25, 2022

Last Updated: July 25, 2022

Description

My Cloud OS 5 Firmware 5.23.114 includes updates to help improve the security of your My Cloud OS 5 devices.

To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.

Product Impact
Minimum Fix Version
Last Updated
My Cloud PR2100
5.23.114
July 22, 2022
My Cloud PR4100
5.23.114
July 22, 2022
My Cloud EX4100
5.23.114
July 22, 2022
My Cloud EX2 Ultra
5.23.114
July 22, 2022
My Cloud Mirror G2
5.23.114
July 22, 2022
My Cloud DL2100
5.23.114
July 22, 2022
My Cloud DL4100
5.23.114
July 22, 2022
My Cloud EX2100
5.23.114
July 22, 2022
My Cloud
5.23.114
July 22, 2022
WD Cloud
5.23.114
July 22, 2022

For more information on the latest security updates, see the release notes.

Advisory Summary

Western Digital My Cloud Web App uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. As a result, a local user with least privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. This vulnerability was resolved by enabling TLS ConnectionSwitching to a "TLS" context instead of "SSL".

CVE Number: CVE-2022-23000

Addressed multiple libtiff null pointer dereference vulnerabilities by updating the version to 4.4.0. 

CVE Number: CVE-2022-0562,  CVE-2022-0561,  CVE-2022-0865

Addressed an improper input validation and out-of-bounds write vulnerability in TensorFlow which is an open-source platform for machine learning. An attacker could pass negative values to cause a segmentation fault-based denial-of-service attack. Certain components also did not validate input arguments which could also trigger a denial-of-service attack.

CVE Number: CVE-2022-29191, CVE-2022-29213, CVE-2022-29208

Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.9-0+deb10u1.

Western Digital My Cloud devices were vulnerable to a cross-site scripting vulnerability that could allow an attacker with elevated privileges to access drives being backed up, to construct and inject JavaScript payloads into an authenticated user's browser. As a result, it may be possible to gain control over the authenticated session, steal data, modify settings, or redirect the user to malicious websites. This was resolved by output sanitization.

CVE Number: CVE-2022-22999