My Cloud OS 5 Firmware 5.18.117
WDC Tracking Number: WDC-21012
Published: November 3, 2021
Last Updated: November 3, 2021
Description
My Cloud OS 5 Firmware 5.18.117 includes an update to help improve the security of your My Cloud devices. Two major security fixes were included in this firmware update.
My Cloud OS 5 devices were vulnerable to a server-side request forgery through an admin interface that is only exposed on the LAN when the Transmission application is installed. A crafted request uri-path could cause mod_proxy to forward the request to an origin server chosen by the remote user. This vulnerability affects the Apache HTTP Server 2.4.4.48 and earlier.
Multiple vulnerabilities have been discovered in the FFmpeg multimedia framework which could cause a denial of service or code execution vulnerability if malformed files or streams are processed.
For more information on the latest security updates, see the release notes: https://os5releasenotes.mycloud.com/#/
Advisory Summary
Addressed multiple Apache HTTP Server vulnerabilities by updating the version to 2.4.38-3+deb10u6.
CVE Number: CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438
Western Digital would like to thank Derek Abdine of Censys, Inc. for notifying us of the Apache vulnerability.
Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.8-0+deb10u1.
CVE Number: CVE-2020-20445, CVE-2020-20446, CVE-2020-20453, CVE-2020-21041, CVE-2020-22015, CVE-2020-22016, CVE-2020-22017, CVE-2020-22019, CVE-2020-22020, CVE-2020-22021, CVE-2020-22022, CVE-2020-22023, CVE-2020-22025, CVE-2020-22026, CVE-2020-22027, CVE-2020-22028, CVE-2020-22029, CVE-2020-22030, CVE-2020-22031, CVE-2020-22032, CVE-2020-22033, CVE-2020-22034, CVE-2020-22035, CVE-2020-22036, CVE-2020-22037, CVE-2020-22049, CVE-2020-22054, CVE-2020-35965, CVE-2021-38114, CVE-2021-38171, CVE-2021-38291