On November 12, support.kemptechnologies.com will be migrating to the Progress Community.

Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

LoadMaster Security Vulnerability CVE-2024-8755

This article describes a LoadMaster security vulnerability that affects all current LoadMaster releases as well as the LoadMaster Multi-Tenant (MT) hypervisor. Please see CVE-2024-8755 for the official description.

We have not received any reports that this vulnerability has been exploited and we are not aware of any direct impact to customers. Nevertheless, we are encouraging all customers to upgrade their LoadMaster implementations as soon as possible to harden their environment. Make sure you are subscribed to the announcement notification via the Support Portal to receive timely notifications for important product updates.

This notification provides a brief description of the vulnerability and the related enhancements made to close the vulnerability.

Fix for CVE-2024-8755

It is possible for authenticated, remote attackers who have access to the management interface of LoadMaster, and LoadMaster credentials, to issue a carefully crafted http request that will allow arbitrary system commands to be executed. This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands being executed.

Update Details

To benefit from this security enhancement, customers should update all deployed LoadMasters by installing the add-on package listed in the table below. Note that the fix included in the add-on package will be included in all future versions.

Product Affected Versions Patched Versions Public Release Date
LoadMaster 7.2.60.1 and all prior versions (including 7.2.54.x and earlier)

Add-on Package
XML validation file

Oct 11 2024
Multi-Tenant Hypervisor 7.1.35.11 and all prior versions Same as above. Oct 11 2024

Multi-Tenant LoadMaster (LoadMaster MT) is affected as follows:

  • The individual instantiated LoadMaster VNFs are vulnerable and must be patched to one of the LMOS versions listed above as soon as possible.
  • Note that the MT hypervisor or Manager node is also vulnerable and should be updated once a patch is available.

Customers can download the add-on using the links above and install it following the directions in this Knowledge Base article.

We strongly recommend that customers follow our security hardening guidelines. If you have any questions, concerns or problems related to this issue, please log in to open a new Technical Support case in our customer community for assistance. Technical Support is available to all LoadMaster customers under a current support contract.


Was this article helpful?
1 out of 3 found this helpful

Comments

Avatar

Simon Jennings

Once applying the add-on, does the Loadmaster need to reboot? or does it affect live service? - thanks

0

Avatar

Akshit Bhambota

Hello Simon,

Thanks for contacting Loadmaster Support.
Yes, the reboot is required to activate the Addon Installed package, attaching the link for more details.

How to add an addon on Loadmaster: https://support.kemptechnologies.com/hc/en-us/articles/8503604808973-How-to-add-an-addon-on-Loadmaster

0

Avatar

Royal Frazier

The article does not reference the AddOn version only its date of website availability.  We installed the addon on the evening of October 11th(date of release). The Installed Version is 20240916.   On oct24th when I click the AddOn link, the version is 20240918. 

Is 20240918 the version that specifically addresses this?
or did 20240916 address it?

I'm trying to figure out if we need to implement another round of updates to address CVE-2024-8755.

0

Avatar

Mark Hoffmann

Hi and thank you for posting.

AFAIK, there is only one version of the add-on, 20240916. I just downloaded a fresh copy using the link above and the version I get after installation/reboot is 20240916 (see screenshot below). Can you please send a screenshot of what you're seeing.

Mark

0