Hello - today Oct 28, 2020 I have upgraded to OS 5 for the PR 4100 seamlessly. The amount of High Level vulnerabilities has been significantly reduced from 28 to 3.
Only 3 High Vulnerabilities remain, 2 are via jQuery:
Findings via RADAR:
jQuery - which has reached its end of life: “This version of the jQuery library has reached end-of-life status.” Vendor Info: Active development for version of jQuery library, used in scanned application, has ended. Vendor announced that jQuery 1.x and 2.x branches will no longer receive patches or
-Solution: Upgrade to the latest version of the jQuery library.
Python through 2.7.17, 3.5.9, 3.6.10, 3.7.6 and 3.8.1 Regular Expression Denial of Service Vulnerability.
Insight: The remote Python implementation is affected by a denial of service vulnerability.
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.7, and 3.8
through 3.8.2 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS)
attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic
backtracking. The vulnerability is based on the following retrieved information from 5357/TCP
Solution: Upgrade to the latest Python version. The vendor has prepared a fix for this issue in versions
3.5.10, 3.6.11, 3.7.8 and 3.8.3. Reference: CVE-2020-8492
WD may require proper tools to glean such visibility which will reveal the vulnerabilities. These PR series Consumer based units should be checked regularly for the protection of the end users. The above information is only as of today 10-28-20. Breaches to all software can occur on a regular basis.
My report also shows Medium level, 29 vulnerabilities currently exist. I wish to note this WD OS 5 upgrade is a significant improvement over the OS 3. I have sent a full report to your team via email indicating where the risks lie. Thank you.