Priya PatelTLDR:
- A critical vulnerability, CVE-2024-7591, has been identified in the LoadMaster product line, allowing attackers to execute arbitrary code.
- Progress has released a patch to address the issue, affecting all LoadMaster releases and the LoadMaster Multi-Tenant (MT) hypervisor.
In a recent development, a critical vulnerability has been discovered in the LoadMaster product line, endangering all LoadMaster releases and the LoadMaster Multi-Tenant (MT) hypervisor. Identified as CVE-2024-7591, this vulnerability grants unauthorized, remote attackers the ability to execute arbitrary code on affected systems. Despite no reported exploits of this vulnerability yet, users are strongly advised to promptly take action to secure their systems.
The vulnerability arises from improper input validation on the LoadMaster management interface, allowing attackers to send specially crafted HTTP requests to execute arbitrary system commands. To address this flaw, Progress has released an add-on package to sanitize user input and prevent the execution of arbitrary commands. This patch, including an XML validation file, was made available on September 3, 2024, for all affected versions of LoadMaster, irrespective of their support status. Users are encouraged to download and install this add-on package immediately through the System Configuration > System Administration > Update Software UI page.
In addition to applying the patch, Progress recommends that all customers follow security hardening guidelines to further protect their systems. By adhering to these guidelines and promptly addressing the CVE-2024-7591 vulnerability, LoadMaster users can enhance the security of their systems and minimize potential risks. Progress emphasizes the importance of staying informed about potential vulnerabilities and maintaining robust security protocols to safeguard digital assets as the cybersecurity landscape evolves.
While there have been no confirmed exploits of the CVE-2024-7591 vulnerability, Progress is actively ensuring customer safety by providing timely updates and technical support. Users are urged to subscribe to announcement notifications via the Support Portal to receive the latest product developments. For further assistance, users with a current support contract can reach out to technical support, while those without an active contract are advised to contact their Sales Account Manager for help.
