Thanks. I updated to 4.2.4 and then was prompted to update to 4.3.3 (all 64-bit). Presumably the issue doesn’t exist in 4.3.3.
Edit: the update to 4.3.3 failed.
Update: 4.3.3 failed due to: SNMPv2-SMI::enterprises.24681.1.1.103.0 “A read/write error occurred on the first boot partition of the flash disk during system update.”
Another try succeeded and I’m now on 4.3.3, but I actually don’t know if 4.3.3 has the command injection vulnerability. Presumably not since I was prompted for the update. BTW, Channels runs fine on 4.3.3 (already reported by a beta user of 4.3.x).
I logged into my TS-251+ and got a prompt to update to 4.3.3. Not sure what was previously running… the UI looks completely different after upgrade, so I must have been on some 4.2.x release.
Presumably the security issue is fixed in 4.3.3
Checked my logs:
Information 2017/03/15 00:20:17 System 127.0.0.1 localhost [Firmware Update] System updated successfully from 4.2.3(20170121) to 4.2.4(20170313).
Information 2017/04/19 09:25:18 System 127.0.0.1 localhost [Firmware Update] System updated successfully from 4.2.4(20170313) to 4.3.3(20170413).
I guess 4.2.4 was released a month ago, and I was already auto-updated.