LoadMaster Security Vulnerability CVE-2024-7591
This article describes a LoadMaster security vulnerability that affects all LoadMaster releases as well as the LoadMaster Multi-Tenant (MT) hypervisor. Please see CVE-2024-7591 for the official description.
We have not received any reports that this vulnerability has been exploited and we are not aware of any direct impact to customers. Nevertheless, we are encouraging all customers to upgrade their LoadMaster implementations as soon as possible to harden their environment. Make sure you are subscribed to announcement notifications via the Support Portal to receive timely notifications for important product updates.
This notification provides a brief description of the vulnerability and the related enhancements made in the affected releases.
Fix for CVE-2024-7591
It is possible for unauthenticated, remote attackers who have access to the management interface of LoadMaster to issue a carefully crafted http request that will allow arbitrary system commands to be executed. This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands execution.
Update Details
To benefit from this security enhancement, customers should apply the add-on package listed in the table below as soon as possible. The add-on package can be installed on any release of LoadMaster, even if support for the unit has expired.
Product | Affected Versions | Patched Versions | Release Date |
LoadMaster | 7.2.60.0 and all prior versions | Add-on Package XML validation file |
Sep 03 2024 |
Multi-Tenant Hypervisor | 7.1.35.11 and all prior versions | Add-on Package XML validation file |
Sep 03 2024 |
Multi-Tenant LoadMaster (LoadMaster MT) is affected as follows:
- The individual instantiated LoadMaster VNFs are vulnerable and must be patched using the add-on listed above as soon as possible.
- Note that the MT hypervisor or Manager node is also vulnerable and must be patched using the add-on listed above as soon as possible.
Download the add-on using the links above and install it using the controls on the System Configuration > System Administration > Update Software UI page.
We also strongly recommend that customers follow our security hardening guidelines. If you have any questions, concerns or problems related to this issue, please log in to open a new Technical Support case in our customer community for assistance. Technical Support is available to all LoadMaster customers under a current support contract. If you don't have an active support contract, please contact your Sales Account Manager.
Comments
Nothing is said in this article about LTS and LTSF branches. ares these affected?
Only a patch for GA is provided
Hi Antoine,
The article says 7.2.60.0 and all prior versions, so LTSF and LTS are affected.
Also, this is not a branch-specific "patch". It is an addon package that as the announcement says can be installed on all prior versions, which includes LTSF and LTS. There is a link to a document that describes how to install an addon package.
I hope this helps.
Mark
Does 7.2.60.1 GA recently released on Sep 12 includes a fix for this?
Ignore the inquiry, release notes confirmed that it does include the fix, thanks!
James Parker
Doesn't allow installation on the free version and the Available download for the free version is still vulenerable to this issue.