WD MyCloud NAS OS Vulnerability Patching Plan?

Is there a plan to update the OS elements e.g. apache version >2.4.39 and PHP >5.4 to later versions in the factory released firmware?

Our IT department is considering the current OS elements unsafe, specifically potential exploits with PHP and Apache. From the latest firmware release notes from the EX4, look at the current versions of the OS elements:

  • Apache - v2.4.34.
  • PHP - v5.4.45.
  • OpenSSH - v7.5p1.
  • OpenSSL - v1.0.1u.
  • libupnp - v1.6.25 (CVE-2012-5958).
  • jQuery - v3.3.1 (CVE-2010-5312).
  • Rsync – v3.0.7.

Many of these are years old compared to their current versions with many exploits publicly known for these past versions. For example, For PHP, sub 5.5 is ancient (in mid-2020) and listed as unsupported by PHP as of 2015! The latest versions of these components on the EX4100 (another, newer product in the line, for example) do not look much better. Right now, the last firmware update for the MyCloud EX4 is almost 18 months old (as of mid 2020).

Please WD, if this is a product/product line that you are supporting, help your customers to keep them in use by keeping your component versions up to date in your OS! If not in older devices like the EX4, then at least newer devices like the EX4100.

Flagging support for your desktop software and lack of patching activity is forcing the hands for some of your users to move on to other vendors rather than upgrading firmware or moving to newer WD models in the EX line due to vulnerability concerns and perceived lack of potential future support. Please help keep your products in the field by providing a roadmap for updates to keep OS components current as a part of your firmware updates to support your commercial customers in planning for security.

1 Like