Release Notice: LoadMaster 7.2.54.12 LTSF
Release Notice: LoadMaster LMOS 7.2.54.12 LTSF
Release Date: 17 September 2024
LMOS Version 7.2.54.12 is a bug fix update of the LMOS 7.2.54.x Long Term Support Feature (LTSF) branch, made available on 17 September 2024. Notes related to installing the image and a brief content listing are provided below. For full details on all the new features and updates provided, consult the LoadMaster 7.2.54.12 Release Notes.
Release Highlights
Security Issues
Fix for CVE-2024-6658
Command Injection by Authenticated User: It is possible for authenticated, remote attackers who have access to the management interface of LoadMaster (and LoadMaster credentials) to issue a carefully crafted HTTP request using the NetConsole API command that will allow arbitrary system commands to be executed. This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands being executed. For more information, refer to the related knowledge base article.
Fix for CVE-2024-7591
Command Injection by Unauthenticated User: It is possible for unauthenticated, remote attackers who have access to the management interface to issue a carefully crafted HTTP request that will allow arbitrary system commands to be executed. This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands being executed. [Note that this fix was previously delivered in an add-on patch; the same fix has now been included in this release and will be included in all subsequent releases.] For more information, refer to the related knowledge base article.
Issues Resolved
LM-6682 |
RADIUS Authentication: In previous releases, RADIUS authentication fails against a Windows Server to which Microsoft KB5040430 applied due to an unsupported Attribute Value Pair (AVP). This issue has been fixed by updating the RADIUS client and dictionary to a later version. |
LM-6356 | Single Sign On (SSO): Fixed issues that could cause segfaults to be reported in the logs for the ssomgr, libc.so, or both. |
Download Links:
- Download Current LTSF Version
- To get the latest firmware updates please visit our Firmware Downloads page.
Upgrade Patch XML File Verification Notes
By default, verification of the digital signature on upgrade images is required in LMOS 7.2.50 and above. See the Update Verification Options setting under System Administration > Miscellaneous Options > WUI Settings. If the unit you are upgrading is set to require validation, you'll need to supply the XML Verification File supplied with this release.
Note that:
- In previous releases, two verification files were provided: one for pre-7.2.51 systems and one for later systems. This restriction has been removed with this release; use the same XML file regardless of the LMOS version from which you are upgrading.
- LoadMasters running an LMOS version prior to 7.2.49 do not provide the option of XML file verification in the UI or API. If you are upgrading from one of these releases to this release, you can verify the digital signatures offline using a manual process documented on the support website.
If you are currently running LMOS 7.1.x or an earlier version, please see the article Kemp LoadMaster Firmware Upgrade Path for full upgrade path information.
Downgrading to Earlier Versions:
Downgrading to LMOS 7.2.50 or a previous release can only be done when the Update Verification Options setting is set to Optional or Legacy. When performing the downgrade, do not specify an XML file. If you want to verify the digital signature on the image before downgrading, you can do so using a manual process documented on the support website.