Progress Software addresses six new security vulnerabilities affecting its WhatsUp Gold, two of them are rated as critical severity.
Progress Software has addressed six new security vulnerabilities in its IT infrastructure monitoring product WhatsUp Gold.
“The WhatsUp Gold team has identified six vulnerabilities that exist in versions below 24.0.1. We are reaching out to all WhatsUp Gold customers to upgrade their environment as soon as possible to version 24.0.1, released on Friday, September 20.” reads the advisory. “If you are running a version older than 24.0.1 and you do not upgrade, your environment will remain vulnerable. Please take the following steps as soon as possible:
- Download the WhatsUp Gold 24.0.1 installer from https://community.progress.com/s/products-list
- Run the installer on your WhatsUp Gold server and follow the prompts. “
Two of the vulnerabilities fixed by Progress, respectively tracked as CVE-2024-8785 and CVE-2024-46909, are rated as critical severity.
CVE-2024-8785 (CVSS score of 9.8) was reported by Trend Micro researchers Andy Niu, while CVE-2024-46909 (CVSS score of 9.8) was reported by Tenable.
Below are the other vulnerabilities addressed by the company:
- CVE-2024-46905 (CVSS score: 8.8)
- CVE-2024-46906 (CVSS score: 8.8)
- CVE-2024-46907 (CVSS score: 8.8)
- CVE-2024-46908 (CVSS score: 8.8)
The company addressed the issues with version 24.0.1 released on September 20, 2024. The company has yet to disclose technical details about the vulnerabilities, it’s unclear if the are actively exploited in attacks in the wild.
In mid-September, U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Progress WhatsUp Gold SQL Injection vulnerability, tracked as CVE-2024-6670, to its Known Exploited Vulnerabilities catalog. An unauthenticated attacker could trigger this vulnerability to retrieve the users’ encrypted password. The flaw impacts WhatsUp Gold versions released before 2024.0.0.
WhatsUp Gold Customers are recommended to address the above vulnerabilities as soon as possible.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Progress Software)