My Cloud OS 5 Firmware 5.18.117


WDC Tracking Number: WDC-21012
Published: November 3, 2021

Last Updated:  November 3, 2021

Description

My Cloud OS 5 Firmware 5.18.117 includes an update to help improve the security of your My Cloud devices. Two major security fixes were included in this firmware update.

My Cloud OS 5 devices were vulnerable to a server-side request forgery through an admin interface that is only exposed on the LAN when the Transmission application is installed. A crafted request uri-path could cause mod_proxy to forward the request to an origin server chosen by the remote user. This vulnerability affects the Apache HTTP Server 2.4.4.48 and earlier.

Multiple vulnerabilities have been discovered in the FFmpeg multimedia framework which could cause a denial of service or code execution vulnerability if malformed files or streams are processed.

Product Impact
Last Updated
My Cloud PR2100
October 28, 2021
My Cloud PR4100
October 28, 2021
My Cloud EX4100
October 28, 2021
My Cloud EX2 Ultra
October 28, 2021
My Cloud Mirror Gen 2
October 28, 2021
My Cloud DL2100
October 28, 2021
My Cloud DL4100
October 28, 2021
My Cloud EX2100
October 28, 2021
My Cloud
October 28, 2021
WD Cloud
October 28, 2021

For more information on the latest security updates, see the release notes: https://os5releasenotes.mycloud.com/#/

Advisory Summary

Addressed multiple Apache HTTP Server vulnerabilities by updating the version to 2.4.38-3+deb10u6.

Western Digital would like to thank Derek Abdine of Censys, Inc. for notifying us of the Apache vulnerability.