QNAP firmware update version QTS build 20211221 and log4j vulnerability

Sicherheit (Pexels, allgemeine Nutzung)[German]The manufacturer QNAP has released a firmware update for its QTS 5 shortly before Christmas. The update closes some vulnerabilities. A log4j vulnerability in QNAP software was also reported. Furthermore, the user community of QNAP NAS drives is currently probably suffering from cyber attacks.


QTS build 20211221

German blog reader Stefan K. contacted me via email on 12/24/2021. He has IT on-call duty over the holidays and thus became aware of a firmware update. Stefan wrote to me:

Good evening Mr. Born,

I am on call over the holidays and I have just become aware of a
firmware update from QNAP, which fixes a whole bunch of security holes.
patched a whole bunch of security holes.

It is about the version QTS build 20211221. In the Release
Notes it says:

[Security Updates]
– Fixed multiple security issues (CVE-2016-2124, CVE-2020-25717,
CVE-2020-25718, CVE-2020-25719, CVE-2020-25722, CVE-2021-3738,
CVE-2020-25721, and CVE-2021-23192).

Maybe the info will help someone.

Happy holidays and a happy new year to you!

With kind regards

Stefan K

Regarding QTS build 20211221 dated 12/23/2021, the release notes state:

QTS build 20211221 2021-12-23

Important Notes

  • Using SSD cache in earlier QTS 5.0.0 versions might cause data corruption issues. We have fixed all identified issues in this release. Important: If you discover suspicious symptoms on your device, DO NOT run a file system check in Storage & Snapshots. To learn more about the circumstances, impacts, and solutions, see our Technical Advisory: https://www.qnap.com/en/technical-advisory/tec-202112-01
  • Removed support for USB printers.
  • To ensure data security, system stability, and storage performance, the maximum number of drives for a single RAID group is now 16 (applicable to RAID 5, RAID 6, and subgroups of RAID 50 and RAID 60). Nevertheless, users can combine multiple RAID groups into a large storage pool that contains more than 16 drives, using RAID 50, RAID 60, or RAID 10 as the RAID configuration. This enhancement will only be applied to new RAID groups. All existing RAID groups and storage systems will not be affected.
  • For the status of QTS updates and maintenance for your NAS model, visit https://www.qnap.com/en/product/eol.php

Security Updates

  • Fixed multiple security issues (CVE-2016-2124, CVE-2020-25717, CVE-2020-25718, CVE-2020-25719, CVE-2020-25722, CVE-2021-3738, CVE-2020-25721, and CVE-2021-23192).

Fixed Issues

  • File Station would stop uploading files when uploading multiple large files at the same time. (Normally, File Station only uploads one file at a time while other files wait in a queue.)
  • Domain users in Active Directory distribution groups could not access NAS shared folders after the NAS joined an Active Directory domain.
  • Download jobs in Download Station would stop when users switched VPN connection from one client to another in QVPN.
  • The LAN-10G2SF-MLX (10 GbE Mellanox network expansion card) would stop working after firmware update to QTS 5.0.0.
  • Users occasionally could not open a shared folder in Snapshot Manager.
  • QTS would not free up storage space after users removed Snapshot Vault from the NAS.
  • Users could not extract RAR archive files in SMB shared folders.
  • A file system issue (EXT4 error) might occur when users enabled SSD cache and then restarted the NAS while performing input/output operations.
  • On the TS-453BT3, Network & Virtual Switch would not display certain information in the Overview section.
  • On the TS-h1886XU-RP, QTS could not detect the M.2 SSD installed on the QM2-2P-384 expansion card if the QM2 was installed on PCIe Slot 4.
  • Files in media folders would occasionally disappear after firmware update to QTS 5.0.0.
  • The TS-853DU-RP and TS-1232PXU-RP could not detect the QXG-10G2T-X710 network expansion card after firmware update to QTS 5.0.0.
  • On the TS-x72, QTS would show an unexpected error message about EFI loader signature on the HDMI display upon NAS startup.
  • Users could not obtain the latest app information when querying with an SNMP MIB browser.
  • Users could not use the TCP port 443 for web service if the UDP port 443 was reserved for another service. (Normally, users should be able to use the same port number for both TCP and UDP without conflicts.)
  • Users could not disable Service Binding for iSCSI service after enabling Service Binding in QTS 4.5.4 and then updating QTS to 5.0.0. (Note: Starting from QTS 5.0.0, Service Binding no longer supports iSCSI service.)
  • Connected external devices would automatically disconnect from the NAS after a long idle time.
  • HDDs could not enter disk standby mode when the specified idle time was reached.
  • A data corruption issue might occur when the usage of SSD cache was over 2 TB.
  • File upload speeds via SMB were slower than expected after users created SSD cache.
  • NAS A could not resolve required domain information when joining a domain if NAS B served as the domain controller.

Known Issues

  • Twonky Server cannot function normally on the TS-h973AX running the latest versions of QTS.
  • Some applications cannot access the NAS when secure connection and TLS 1.3 are enabled. This is due to a known issue in the applications. We will fix this issue in upcoming app releases.
  • macOS Finder takes a long time to display content in SMB shared folders when users connect the Mac to the NAS via Thunderbolt. This problem may be due to Mac device driver issues. It only occurs to Mac devices with Intel processors and macOS 11 (or later versions).
  • Thunderbolt write speeds are lower than expected in QTS 5.0.0. Note: Due to Thunderbolt driver compatibility issues, if you are using macOS 11/12 devices with Intel processors, we do not recommend updating QTS to 5.0.0 for the time being.
  • QTS and QuTS hero with newer kernel versions do not support ATTO Fibre Channel adapters. If you have already installed an ATTO Fibre Channel adapter on your device, we do not recommend updating the firmware to QTS 5.0.0 or QuTS hero h5.0.0 for the time being.
  • Control Panel cannot display the information of the TPU installed in the M.2 slot on the QGD-1602P.
  • After users rename a shared folder, QuLog Center still displays the original folder name in Accessed Resources.
  • The WordPress folder would disappear from the NAS Web Folder after users updated QTS to 5.0.0 and WordPress to 5.7.2. (WordPress could not keep the previous settings during the update.)
  • On certain ARM-based models, non-administrator users cannot access subfolders in the @Recently-Snapshot folder when advanced shared folder permission settings are enabled.
  • A file system issue (EXT4 error) might occur when users disabled or removed SSD cache after using SSD cache.

Other Changes

SSD Profiling Tool

  • QTS no longer pre-installs SSD Profiling Tool by default. Users can install this tool in the App Center.

Control Panel

  • Replaced SQL Server with MariaDB 5/MariaDB 10, which can be installed in the App Center.
  • Removed iSCSI Service from Service Binding in Control Panel. Users can now configure iSCSI service binding settings in iSCSI & Fibre Channel.


  • Qboost is no longer a built-in application of QTS. Users can choose to install Qboost in App Center.

App Center

  • To ensure system security, QTS now automatically disables applications that are not updated and that do not meet the minimum version requirements.
  • Removed support for the following applications, utilities, or services:
    • WebERP
    • GLPI
    • Vtiger CRM
    • Ragic Cloud DB

QVR Pro Client & QVR Smart Client

  • Starting from QTS 5.0.0, HybridDesk Station no longer supports QVR Pro Client (HDMI output). You can install QVR Smart Client on HybridDesk Station as the client software for your QVR Pro, QVR Elite, or QVP surveillance servers. Note that QVR AI Pack License is required for using QVR Smart Client. You can continue using QVR Pro Client on Windows or macOS as the client software for your surveillance servers to watch live views or play back recordings.

NVR Storage Expansion

  • Starting from QTS 5.0.0, NVR Storage Expansion is no longer supported.

Attacks on QNAP devices

In addition, I recently came across the following tweet reporting ongoing attacks on QNAP devices. 

 QNAP Still Dealing With Attacks On NAS Devices

As of 12/23/2021, there is another update to security advisory QSA-21-58, which deals with the Apache Log4j library and vulnerabilities CVE-2021-44228 | CVE-2021-45046 | CVE-2021-45105 | CVE-2021-4104.


Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *