On November 12, support.kemptechnologies.com will be migrating to the Progress Community.

Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

LoadMaster Security Vulnerability CVE-2024-6658

This article describes a LoadMaster security vulnerability that affects all LoadMaster releases as well as the LoadMaster Multi-Tenant (MT) hypervisor. Please see CVE-2024-6658 for the official description.

We have not received any reports that this vulnerability has been exploited and we are not aware of any direct impact to customers. Nevertheless, we are encouraging all customers to upgrade their LoadMaster implementations as soon as possible to harden their environment. Make sure you are subscribed to the announcement notification via the Support Portal to receive timely notifications for important product updates.

This notification provides a brief description of the vulnerability and the related enhancements made in the affected releases.

Fix for CVE-2024-6658

It is possible for authenticated, remote attackers who have access to the management interface of LoadMaster, and LoadMaster credentials, to issue a carefully crafted http request that will allow arbitrary system commands to be executed. This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands being executed.

Update Details

To benefit from this security enhancement, customers should update to the latest Progress LoadMaster releases, as listed below, as soon as they are available:

 Product Affected Versions Patched Versions Release Date
LoadMaster From 7.2.55.0 to 7.2.60.0 (inclusive) 7.2.60.1 (GA)
XML validation file
12 Sep 2024
  From 7.2.49.0 to 7.2.54.11 (inclusive) 7.2.54.12 (LTSF)
XML validation file
17 Sep 2024
  7.2.48.12 and all prior versions Upgrade to
LTSF or GA
See above
Multi-Tenant Hypervisor 7.1.35.11 and all prior versions 7.1.35.12 (GA)
XML validation file
03 Oct 2024

 

Multi-Tenant LoadMaster (LoadMaster MT) is affected as follows:

  • The individual instantiated LoadMaster VNFs are vulnerable and must be patched to one of the LMOS versions listed above as soon as possible.
  • Note that the MT hypervisor or Manager node is also vulnerable and should be updated once a patch is available.

For more information on how to apply the security patches above, refer to the Progress Knowledge Base article on how to upgrade LoadMaster.

We strongly recommend that customers follow our security hardening guidelines. If you have any questions, concerns or problems related to this issue, please log in to open a new Technical Support case in our customer community for assistance. Technical Support is available to all LoadMaster customers under a current support contract.


Was this article helpful?
0 out of 3 found this helpful

Comments

Avatar

Herr Siegel

Hello, 

the link to "security hardening guidelines" is broken. Please fix it. Thanks!

Best Regards

Markus

0

Avatar

Mark Hoffmann

Hi and thanks for posting,

The link is working properly for me. What do you see when you click the link?

Mark

0

Avatar

Herr Siegel

Probably an issue with redirection in context of language selection - my URL: Progress Documentation - with /de-DE/ after the domain

If I delete this, browser redirects (uses Edge)

0