In its LoadMaster technology, Progress Software identified several high-severity security flaws that could be used by hacked-up programmers to execute arbitrary system commands or remove any record from the program.
Kemp LoadMaster is a high-performance application delivery controller ( ADC ) and load balancer that provides availability, scalability, performance, and security for business-critical applications and websites.
Below are the threats that have been identified:
- CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, and CVE-2024-56135 ( CVSS scores: 8.4)- A set of illegal input validation vulnerabilities that allows rural malicious actors who gain access to the management interface of LoadMaster and properly confirm to execute arbitrary system commands via a carefully crafted HTTP request
- ( CVSS score: 8.4)- An poor insight validation vulnerability that allows distant, malicious hackers to gain access to LoadMaster’s management panel and properly authenticate any file on the system through a carefully crafted HTTP request.
The defects affect the following types of the program:
- LoadMaster versions from 7.2.55.0 to 7.2.60.1 ( inclusive )- Fixed in 7.2.61.0 ( GA )
- LoadMaster versions from 7.2.49.0 to 7.2.54.12 ( inclusive )- Fixed in 7.2.54.13 ( LTSF )
- LoadMaster type 7.2.48.12 and earlier- Upgrade to LTSF or GA
- Multi-Tenant LoadMaster version 7.1.35.12 and prior- Fixed in 7.1.35.13 ( GA )
No proof that any of the above risks have been exploited in the wild, according to Progress Software. However, with previously revealed flaws that threat actors have earlier used as weapons in the past, it’s crucial that users use the most recent patches for maximum protection.