Progress LoadMaster Security Update: Multiple Vulnerabilities Addressed

Progress has issued a security advisory addressing multiple vulnerabilities affecting all current LoadMaster releases and the LoadMaster Multi-Tenant (MT) hypervisor. The vulnerabilities, identified as CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, CVE-2024-56134, and CVE-2024-56135, could allow authenticated attackers to execute arbitrary system commands or download sensitive files.

These vulnerabilities stem from improper input validation, enabling attackers with access to the LoadMaster management interface to inject malicious commands via crafted HTTP requests.

“Remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate could issue a carefully crafted HTTP request that allows arbitrary system commands to be executed,” the advisory states.

While Progress has not received any reports of these vulnerabilities being exploited, they urge all customers to upgrade their LoadMaster implementations as soon as possible.

The following LoadMaster versions are affected:

LoadMaster: From 7.2.48.12 and all prior versions, 7.2.49.0 to 7.2.54.12 (inclusive), and 7.2.55.0 to 7.2.60.1 (inclusive).
Multi-Tenant LoadMaster: 7.1.35.12 and all prior versions.

Patched versions are available for all affected releases. Users can download the newest firmware and install it following the instructions provided in the Progress Knowledge Base.

For Multi-Tenant LoadMaster (LoadMaster MT), the individual instantiated LoadMaster VNFs are vulnerable and must be patched to one of the LMOS versions listed in the advisory. The MT hypervisor or Manager node is also vulnerable and should be updated once a patch is available.

Progress has implemented input sanitization to mitigate these vulnerabilities, preventing arbitrary system commands from being executed.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply