WD is happy to release the My Cloud EX4 firmware version 2.12.127.
2.12.127 Release Notes
• Resolved multiple command injection vulnerabilities including CVE-2016-10108 and CVE 2016-10107.
• Resolved multiple cross site request forgery (CSRF) vulnerabilities.
• Resolved a Linux kernel Dirty Cow vulnerability (CVE-2016-5195).
• Resolved multiple denial-of-service vulnerabilities.
• Improved security by disabling SSH shadow information.
• Resolved a buffer overflow issue that could lead to unauthenticated access.
• Resolved a click-jacking vulnerability in the web interface.
• Resolved multiple security issues in the Webfile viewer on-device app.
• Improved the security of volume mount options.
• Resolved multiple security issues in the EULA onboarding flow.
• Resolved leakage of debug messages in the web interface.
• Improved credential handling for the remote MyCloud-to-MyCloud backup feature.
• Improved credential handling for upload-logs-to-support option.
• Apache -v2.4.34
• PHP -v5.4.45
• OpenSSH -v7.5p1
• OpenSSL -v1.0.1u
• libupnp -v1.6.25 (CVE-2012-5958)
• jQuery -v3.3.1 (CVE-2010-5312)
Other Bug Fixes
• Resolved high CPU utilization with ufraw-batch process.
• Improved remote host port handling
2.11.169 Release Notes
- Resolved security vulnerability (CVE-2017-17560) - Unauthorized access to multipart upload functionality.
2.11.168 Release Notes
- Resolved SMB server (samba) security vulnerability (CVE-2017-7494) - Malicious clients can upload and cause the SMB server to execute a shared library from a writable share.
- Resolved critical security vulnerabilities that potentially allowed unauthorized file deletion, unauthorized command execution and authentication bypass.
2.11.164 Release Notes
- Resolved issue of unable to toggle ON and OFF the product improvement option.
- Resolved issue of unable to create/import multiple users and groups.
- Resolved issue of unable to open a technical support case from the dashboard.