Progress Software has issued a public notice declaring it has fixed a maximum severity security vulnerability affecting its LoadMaster and LoadMaster Multi-Tenant hypervisor software.
LoadMaster is Progress’ load balancer and application delivery controller (ADC), underpinning high availability, secure, and scalable business applications and websites.
The Multi-Tenant hypervisor, meanwhile, is an iteration of the LoadMaster software that allows users to run multiple load balancer instances on the same piece of hardware.
Disclosed on 4 September, CVE-2024-7591 is a critical improper input validation flaw, rated a maximum ten out of ten on the CVSS.
An unauthenticated remote attacker with access to LoadMaster’s management interface could exploit the vulnerability using a specially-crafted HTTP request and execute arbitrary code on the system.
Progress noted this vulnerability has been closed by “sanitizing request user input to mitigate arbitrary system commands execution”.
The affected products include LoadMaster 7.2.60.0 and all its prior versions, as well as Multi-Tenant 7.1.35.11 and all prior versions.
A Progress employee confirmed the Long-Term Support (LTS) and Long-term Support with Feature (LTSF) iterations of LoadMaster were also impacted by the issue.
The firm added that its Multi-Tenant software is affected in the following ways.
“The individual instantiated LoadMaster VNFs are vulnerable and must be patched using the add-on listed above as soon as possible,” the bulletin stated. “Note that the MT hypervisor or Manager node is also vulnerable and must be patched using the add-on listed above as soon as possible.”
Progress Software looks to calm user concerns
Progress reassured users it was not aware of any instances of the flaw being exploited in-the-wild, claiming it has not received any reports of direct impact to customers.
Nevertheless, the firm urged businesses to upgrade their LoadMaster implementations as soon as possible to reduce their exposure.
Progress has released an add-on package XML validation file that it said can be installed on any release of their LoadMaster software, even if support for the specific unit has expired.
It also recommended following its ‘security hardening guidelines’, running through how to configure the software to enhance the security of their business applications.
As one user noted in the comment section on the security bulletin, the add-on mitigating CVE-2024-7591 cannot be installed on the free version of LoadMaster, adding that the version available for download is still vulnerable to this issue.
