Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

LoadMaster Security Vulnerability CVE-2024-7591

This article describes a LoadMaster security vulnerability that affects all LoadMaster releases as well as the LoadMaster Multi-Tenant (MT) hypervisor. Please see CVE-2024-7591 for the official description.

We have not received any reports that this vulnerability has been exploited and we are not aware of any direct impact to customers. Nevertheless, we are encouraging all customers to upgrade their LoadMaster implementations as soon as possible to harden their environment. Make sure you are subscribed to announcement notifications via the Support Portal to receive timely notifications for important product updates.

This notification provides a brief description of the vulnerability and the related enhancements made in the affected releases.

Fix for CVE-2024-7591

It is possible for unauthenticated, remote attackers who have access to the management interface of LoadMaster to issue a carefully crafted http request that will allow arbitrary system commands to be executed. This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands execution.

Update Details

To benefit from this security enhancement, customers should apply the add-on package listed in the table below as soon as possible. The add-on package can be installed on any release of LoadMaster, even if support for the unit has expired.

 Product Affected Versions Patched Versions Release Date
LoadMaster 7.2.60.0 and all prior versions Add-on Package
XML validation file
Sep 03 2024
Multi-Tenant Hypervisor 7.1.35.11 and all prior versions Add-on Package
XML validation file
Sep 03 2024

Multi-Tenant LoadMaster (LoadMaster MT) is affected as follows:

  • The individual instantiated LoadMaster VNFs are vulnerable and must be patched using the add-on listed above as soon as possible.
  • Note that the MT hypervisor or Manager node is also vulnerable and must be patched using the add-on listed above as soon as possible.

Download the add-on using the links above and install it using the controls on the System Configuration > System Administration > Update Software UI page.

We also strongly recommend that customers follow our security hardening guidelines. If you have any questions, concerns or problems related to this issue, please log in to open a new Technical Support case in our customer community for assistance. Technical Support is available to all LoadMaster customers under a current support contract. If you don't have an active support contract, please contact your Sales Account Manager.


Was this article helpful?
2 out of 2 found this helpful

Comments

Avatar

James Parker

Doesn't allow installation on the free version and the Available download for the free version is still vulenerable to this issue. 

0

Avatar

Antoine Rosset

Nothing is said in this article about LTS and LTSF branches. ares these affected?

Only a patch for GA is provided

0

Avatar

Mark Hoffmann

Hi Antoine,

The article says 7.2.60.0 and all prior versions, so LTSF and LTS are affected.

Also, this is not a branch-specific "patch". It is an addon package that as the announcement says can be installed on all prior versions, which includes LTSF and LTS. There is a link to a document that describes how to install an addon package.

I hope this helps.

Mark

0

Avatar

Dmitry Dovnar

Does 7.2.60.1 GA recently released on Sep 12 includes a fix for this?

0

Avatar

Dmitry Dovnar

Ignore the inquiry, release notes confirmed that it does include the fix, thanks!

https://support.kemptechnologies.com/hc/en-us/articles/29953076306573-Release-Notice-LoadMaster-LMOS-7-2-60-1

0