How can we help?

The latest application delivery knowledge and expertise at your fingertips.

LoadMaster Vulnerabilities

The table below is a list of the security vulnerabilities about which the LoadMaster Support Team gets the most inquires from our customers. If you have a question about a vulnerability not listed below and whether it applies to LMOS, please contact Support.

 

CVE Entry /
Internal ID
Affected
Libraries 
Fixed Version Comments
CVE-2021-41069 N/A 7.2.55.0 Validation has been enhanced for the upload of a Virtual Service Template to the system to close a security vulnerability wherein a carefully constructed file can be uploaded as a template and create unwanted files on the filesystem.
CVE-2021-41068 N/A 7.2.55.0 The system console has been updated to close vulnerabilities present in previous releases that could allow an already authenticated user to obtain a privileged shell.
CVE-2021-33910 N/A N/A Not Vulnerable. This requires the ability to install a kernel module and other programs onto the target system, which is not possible on LMOS.
CVE-2021-33909 N/A N/A Not Vulnerable. The systemd program is not present on LMOS.
CVE-2021-3711 openssl N/A Not Vulnerable. The SM2 ciphers that are the subject of this vulnerability are not supported on any release of LoadMaster.
CVE-2021-3450 openssl N/A Not Vulnerable. This vulnerability affects OpenSSL version 1.1.1h through 1.1.1j, none of which are supported on any release of LMOS. LMOS 7.2.55 supports OpenSSL 1.1.1k, which closes this vulnerability.
CVE-2021-3449 openssl LMOS 7.2.55.0
openssl 1.1.1k

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration).

In LMOS 7.2.55, OpenSSL is updated to version 1.1.1k which addresses this issue. Also see this support article.

Also note that in LMOS 7.2.55, the default setting for SSL Renegotiation is now disabled.

CVE-2021-3156 Sudoedit Linux N/A Not Vulnerable. The sudoedit program is not present on LMOS.
CVE-2021-1732 Windows NETLOGON N/A Not Vulnerable. This is Windows-only issue and does not apply to Linux-based systems like LMOS. 
CVE-2020-15598 ModSecurity v3 N/A Not Vulnerable. LMOS uses the ModSecurity v2.9 release line.
CVE-2020-8515 N/A N/A Not Vulnerable.
CVE-2020-1967 N/A N/A Not Vulnerable.
CVE-2020-10029 Glibc N/A Not Vulnerable.
PD-13899 N/A N/A Vulnerability concerning ACLs and Real Servers. Real Servers located on networks on which LoadMaster also has an IP address are always allowed to access Virtual Services that also have an IP address on that network interface regardless of all access control list (ACL) settings on LoadMaster. For Layer 7 services, this issue can be worked around using Content Rules. The workaround for other services is to block access for local Real Servers (if desired) on another network device (firewall, switch, router, etc.).
CVE-2019-16905 openssh 7.7,7.9,8.x-  8.1 Not Vulnerable. The vulnerable experimental code is not built as part of LMOS.
CVE-2019-0190 openssl 1.1.1 Not Vulnerable. Relevant only to an Apache servers.
CVE-2019-1551 openssl 1.1.1 Not Vulnerable. This exploit requires a 512-bit random key and the default for LMOS is 2K.

CVE-2019-1549

openssl 1.1.1 Not Vulnerable.
CVE-2019-1563 openssl 1.1.1 Not Vulnerable. LMOS does not support PKCS7 or CMS and it always uses a certificate.
CVE-2019-1547 openssl 1.1.1 Not Vulnerable. LMOS only uses the libssl interface, which is indicated to be not vulnerable.

 


  

 


Comments