LoadMaster Security Vulnerability CVE-2024-6658
This article describes a LoadMaster security vulnerability that affects all LoadMaster releases as well as the LoadMaster Multi-Tenant (MT) hypervisor. Please see CVE-2024-6658 for the official description.
We have not received any reports that this vulnerability has been exploited and we are not aware of any direct impact to customers. Nevertheless, we are encouraging all customers to upgrade their LoadMaster implementations as soon as possible to harden their environment. Make sure you are subscribed to the announcement notification via the Support Portal to receive timely notifications for important product updates.
This notification provides a brief description of the vulnerability and the related enhancements made in the affected releases.
Fix for CVE-2024-6658
It is possible for authenticated, remote attackers who have access to the management interface of LoadMaster, and LoadMaster credentials, to issue a carefully crafted http request that will allow arbitrary system commands to be executed. This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands being executed.
Update Details
To benefit from this security enhancement, customers should update to the latest Progress LoadMaster releases, as listed below, as soon as they are available:
Product | Affected Versions | Patched Versions | Release Date |
LoadMaster | From 7.2.55.0 to 7.2.60.0 (inclusive) |
7.2.60.1 (GA) XML validation file |
12 Sep 2024 |
From 7.2.49.0 to 7.2.54.11 (inclusive) |
7.2.54.12 (LTSF) XML validation file |
17 Sep 2024 | |
7.2.48.12 and all prior versions |
Upgrade to LTSF or GA |
See above | |
Multi-Tenant Hypervisor | 7.1.35.11 and all prior versions |
7.1.35.12 (GA) XML validation file |
03 Oct 2024 |
Multi-Tenant LoadMaster (LoadMaster MT) is affected as follows:
- The individual instantiated LoadMaster VNFs are vulnerable and must be patched to one of the LMOS versions listed above as soon as possible.
- Note that the MT hypervisor or Manager node is also vulnerable and should be updated once a patch is available.
For more information on how to apply the security patches above, refer to the Progress Knowledge Base article on how to upgrade LoadMaster.
We strongly recommend that customers follow our security hardening guidelines. If you have any questions, concerns or problems related to this issue, please log in to open a new Technical Support case in our customer community for assistance. Technical Support is available to all LoadMaster customers under a current support contract.
Comments
Hi and thanks for posting,
The link is working properly for me. What do you see when you click the link?
Mark
Probably an issue with redirection in context of language selection - my URL: Progress Documentation - with /de-DE/ after the domain
If I delete this, browser redirects (uses Edge)
Herr Siegel
Hello,
the link to "security hardening guidelines" is broken. Please fix it. Thanks!
Best Regards
Markus