LoadMaster Security Vulnerability CVE-2024-8755
This article describes a LoadMaster security vulnerability that affects all current LoadMaster releases as well as the LoadMaster Multi-Tenant (MT) hypervisor. Please see CVE-2024-8755 for the official description.
We have not received any reports that this vulnerability has been exploited and we are not aware of any direct impact to customers. Nevertheless, we are encouraging all customers to upgrade their LoadMaster implementations as soon as possible to harden their environment. Make sure you are subscribed to the announcement notification via the Support Portal to receive timely notifications for important product updates.
This notification provides a brief description of the vulnerability and the related enhancements made to close the vulnerability.
Fix for CVE-2024-8755
It is possible for authenticated, remote attackers who have access to the management interface of LoadMaster, and LoadMaster credentials, to issue a carefully crafted http request that will allow arbitrary system commands to be executed. This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands being executed.
Update Details
To benefit from this security enhancement, customers should update all deployed LoadMasters by installing the add-on package listed in the table below. Note that the fix included in the add-on package will be included in all future versions.
Product | Affected Versions | Patched Versions | Public Release Date |
LoadMaster | 7.2.60.1 and all prior versions (including 7.2.54.x and earlier) | Oct 11 2024 | |
Multi-Tenant Hypervisor | 7.1.35.11 and all prior versions | Same as above. | Oct 11 2024 |
Multi-Tenant LoadMaster (LoadMaster MT) is affected as follows:
- The individual instantiated LoadMaster VNFs are vulnerable and must be patched to one of the LMOS versions listed above as soon as possible.
- Note that the MT hypervisor or Manager node is also vulnerable and should be updated once a patch is available.
Customers can download the add-on using the links above and install it following the directions in this Knowledge Base article.
We strongly recommend that customers follow our security hardening guidelines. If you have any questions, concerns or problems related to this issue, please log in to open a new Technical Support case in our customer community for assistance. Technical Support is available to all LoadMaster customers under a current support contract.
Comments
Hello Simon,
Thanks for contacting Loadmaster Support.
Yes, the reboot is required to activate the Addon Installed package, attaching the link for more details.
How to add an addon on Loadmaster: https://support.kemptechnologies.com/hc/en-us/articles/8503604808973-How-to-add-an-addon-on-Loadmaster
The article does not reference the AddOn version only its date of website availability. We installed the addon on the evening of October 11th(date of release). The Installed Version is 20240916. On oct24th when I click the AddOn link, the version is 20240918.
Is 20240918 the version that specifically addresses this?
or did 20240916 address it?
I'm trying to figure out if we need to implement another round of updates to address CVE-2024-8755.
Hi and thank you for posting.
AFAIK, there is only one version of the add-on, 20240916. I just downloaded a fresh copy using the link above and the version I get after installation/reboot is 20240916 (see screenshot below). Can you please send a screenshot of what you're seeing.
Mark
Simon Jennings
Once applying the add-on, does the Loadmaster need to reboot? or does it affect live service? - thanks