CVE-2024-2389 Flowmon critical security vulnerability
Information
Summary: |
We recently confirmed the existence of a critical security vulnerability for Flowmon versions v11.x and v12.x. |
Environment: |
Product: Flowmon Version: 11.x, 12.x Platform: All |
Question/Problem Description: |
Unauthenticated, remote attackers can gain access to the web interface of Flowmon to issue a carefully crafted API command that will allow arbitrary system commands to be executed without authentication. All Flowmon versions prior the 11.0 (10.x and lower) are not affected by this vulnerability. Please follow the link to CVE-2024-2389 for detailed information. |
Steps to Reproduce: | |
Error Message: | |
Defect Number: | CVE-2024-2389 |
Enhancement Number: | |
Cause: | |
Resolution: |
To benefit from the latest security enhancements, customers must install the security patch for one of the Progress Flowmon releases, as listed below.
The patched versions are:
Patched versions are available to all Flowmon customers. After upgrading Flowmon to patched versions, we recommend to upgrade all Flowmon modules you are using to the latest available versions.
How to Upgrade: You can apply the update via the Automatic package download feature in your Flowmon appliance or download the release manually. Please follow the links above according to your Flowmon major version 11 or 12.
FAQ If you have any questions, concerns, or problems related to this issue, please open a new Technical Support ticket for assistance. Technical Support is available to customers with an active Support subscription. Customers who are not on a current active subscription should contact your Progress Flowmon account representative.
|
Workaround: | |
Notes: | Reported by David Yesland from Rhino Security Labs |