Support Product Security

My Cloud Firmware Version 5.25.124

WDC Tracking Number: WDC-22019
Product Line: My Cloud
Published: December 1, 2022

Last Updated: December 1, 2022

Description

My Cloud OS 5 Firmware 5.25.124 includes updates to help improve the security of your My Cloud OS 5 devices

To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.

Product Impact
Minimum Fix Version
Last Updated
My Cloud PR2100
5.25.124
December 1, 2022
My Cloud PR4100
5.25.124
December 1, 2022
My Cloud EX4100
5.25.124
December 1, 2022
My Cloud EX2 Ultra
5.25.124
December 1, 2022
My Cloud Mirror G2
5.25.124
December 1, 2022
My Cloud DL2100
5.25.124
December 1, 2022
My Cloud DL4100
5.25.124
December 1, 2022
My Cloud EX2100
5.25.124
December 1, 2022
My Cloud
5.25.124
December 1, 2022
WD Cloud
5.25.124
December 1, 2022

For more information on the latest security updates, see the release notes.

Advisory Summary

Resolved an authentication issue with the encrypted volumes and auto mount feature. This bug could result in an insecure direct access to the drive information in the case of a device reset.

CVE Number: CVE-2022-29838

Western Digital would like to thank Asim Rehman for reporting this issue.

Addressed a memory out-of-bounds vulnerability that was caused while sending malicious data to the kernel by an ioctl cmd.

CVE Number:  CVE-2021-33655

Updated the curl version to 7.64.0-4+deb10u3 to addressed multiple vulnerabilities that could allow remote attackers to obtain sensitive information, leak authentication or cookie header data, or facilitate a denial-of-service attack.

CVE Number:CVE-2021-22898, CVE-2021-22924, CVE-2021-22945, CVE-2021-22946, CVE-2021-22947, CVE-2022-22576, CVE-2022-27775, CVE-2022-27776, CVE-2022-27781, CVE-2022-27782, CVE-2022-32205, CVE-2022-32206, CVE-2022-32207, CVE-2022-32208

Updated open-source package FLAC to version 1.3.2-3+deb10u2 to resolve an out-of-bounds write due to missing bounds check which could lead to a local information disclosure with no additional execution privileges needed.

CVE Number:CVE-2021-0561

Configured the Remote Backups application to encrypt credentials to resolve an insufficiently protected credentials issue where if an attacker gains access to a relevant endpoint, they can use that information to access protected data.

CVE Number: CVE-2022-29839

Compare