Updated initial post to include 2.30.193 (05/08/2018) firmware link.
Updated initial post to include My Cloud OS3 September 2018 Security Hotfix Firmware Download for v2.x single bay My Cloud units. This hotfix resolves the following issues:
- Resolved authentication bypass vulnerability (CVE-2018-17153).
Download link: http://download.wdc.com/nas/My_Cloud_GLCR_2.30.196.bin
Single bay/drive My Cloud v2.x firmware updated. OP updated to include this new firmware.
Security Fixes Resolved multiple command injection vulnerabilities including CVE-2016-10108 and CVE 2016-10107. Resolved multiple cross site request forgery (CSRF) vulnerabilities. Resolved a Linux kernel Dirty Cow vulnerability (CVE-2016-5195). Resolved multiple denial-of-service vulnerabilities. Improved security by disabling SSH shadow information. Resolved a buffer overflow issue that could lead to unauthenticated access. Resolved a click-jacking vulnerability in the web interface. Resolved multiple security issues in the Webfile viewer on-device app. Improved the security of volume mount options. Resolved leakage of debug messages in the web interface. Improved credential handling for the remote MyCloud-to-MyCloud backup feature. Improved credential handling for upload-logs-to-support option. Components Updated Apache - v2.4.34 PHP - v5.4.45 OpenSSH - v7.5p1 OpenSSL - v1.0.1u libupnp - v1.6.25 (CVE-2012-5958) jQuery - v3.3.1 (CVE-2010-5312) Other Bug Fixes Resolved high CPU utilization with ufraw-batch process. Improved remote host port handling.
Direct link to firmware: http://download.wdc.com/nas/My_Cloud_GLCR_2.31.149.bin
I dont see this update on the Annoncement Page https://community.wd.com/c/announcements-and-discussions/news-announcements.
Do I have to upgrade manually?
The 2.30.193 firmware is not the latest. The latest firmware for the v2.x single bay My Cloud units is 2.31.149 (10/19/18); which is announced on the WD announcements page.
Note that most of us here are end users such as yourself. We do not have any control over what WD posts to their announcements page.
If one has the automatic upgrade option enabled in the My Cloud Dashboard Settings it should upgrade one’s firmware to the latest WD released firmware version. If one has the automatic upgrade option disabled then one can download the file and install it manually.
i know, but i was surprised to see that update from May.
as for that update MyCloud unit is not listed to be included!? My Cloud "Authentication Bypass" 09/21/2018
when installing the latest version does this update include previous updates, if ones MyClouds unit misses the last few update fixes? With other words asked: are the updates cumulative?
There may be some security vulnerabilities that affect only certain v2.x My Could units (multi bay) which would explain why the single bay/single drive second generation v2.x My Cloud is not included. WD hides certain features in the My Cloud Dashboard on the single bay v2.x My Cloud that are present in the multi bay v2.x My Cloud units.
Generally (and I assume is the case with WD) the manufacturer would include all previous fixes, both security and otherwise, in their latest firmware.
Can anyone explain why the 2.30 version in early October to address the security vunerablity about anyone being able to bypass into the UI as an admin somehow prevented the drives from connecting to the firmware update servers. I went ahead and updated manually and it now seems to give me the all clear that I have the latest firmware but before that, it was giving me the cannot connect ■■■■. And there was nothing wrong with my network connection.
OP post updated with latest v2.x and 4.x firmware links along with latest GPL firmware links.
what do you mean with “OP post updated”? What is OP?