Update on Previously Disclosed Vulnerabilities

At KEMP Technologies we always welcome the feedback received from our valued customer community. The joint collaboration between our product management organization, product delivery and customers regularly helps to drive product improvements, innovative features and development incentives. A number of opportunities for improvement were recently identified by one of our valued technology contributors* and we wanted to take the time to address these here:

 

Description: A Remote Code Execution vulnerability was identified in LoadMaster.

Status: Resolved in version 7.1-18a which was made available July 23rd 2014.

 

Description: It was discovered that the infamous Shellshock Unix Bash vulnerability could impact the LoadMaster web user interface in the case of authenticated users with knowledge of account credentials.

Status: Resolved in version 7.1-20b which was made available on September 27th 2014.

 

Description: A Denial of Service (thc_ssl_dos) vulnerability was identified in LoadMaster.

Status: Resolved in version 7.1-24a which was made available on February 10th 2015.

 

Description: A Cross Site Request Forgery vulnerability has been identified in LoadMaster.

Status: Will be resolved in version 7.1-28 scheduled for availability in July 2015. A patch will also be made available for version 7.1-26. Version 7.1-26 is scheduled for general availability May 1st 2015 with early access available now.

 

Description: A Reflected & Stored XSS vulnerability has been identified in LoadMaster.

Status: Scheduled for resolution in version 7.1-28 release scheduled for availability in July 2015. A patch will also be made available for version 7.1-26. Version 7.1-26 is scheduled for general availability May 1st 2015 with early access available now.

 

Affected Versions:

LoadMaster Operating System releases prior to the stated fix versions are impacted by these vulnerabilities with the exception of our current LTS series, 7.0-10, where relevant fixes are backported. Version 7.0-10g is the version of this series where these vulnerabilities were addressed.

 

All security fixes that are included in any subsequent future software releases after they are made. For any security concerns please email securityalert@kemptechnologies.com which escalates the reported issue through appropriate channels.

 

*http://blog.malerisch.net/2015/04/playing-with-kemp-load-master.html

Was this article helpful?

0 out of 0 found this helpful

Comments

Avatar
maik

Not much left of July for 7.1-28. Is the schedule still up to date?

Avatar
Derek Kiely

7.1-28a is due for release next Wednesday July 29th.