Networking gear major Cisco has rolled out software updates to handle many critical vulnerabilities impacting HyperFlex HX and SD-WAN vManage Application that could let an attacker to complete command injection attacks, execute arbitrary code, and get entry to delicate information.
In a series of advisories posted on May well 5, the company said there are no workarounds that remediate the concerns.
The HyperFlex HX command injection vulnerabilities, tracked as CVE-2021-1497 and CVE-2021-1498 (CVSS scores 9.8), influence all Cisco gadgets working HyperFlex HX software versions 4., 4.5, and these prior to 4.. Arising due to inadequate validation of person-supplied enter in the internet-based mostly administration interface of Cisco HyperFlex HX Data Platform, the flaws could empower an unauthenticated, distant attacker to conduct a command injection attack from a susceptible product.
“An attacker could exploit this vulnerability by sending a crafted request to the world-wide-web-based management interface,” the organization stated in its inform. “A prosperous exploit could allow for the attacker to execute arbitrary instructions” either as a root or tomcat8 user.
Cisco also squashed five glitches impacting SD-WAN vManage Software program (CVE-2021-1275, CVE-2021-1468, CVE-2021-1505, CVE-2021-1506, and CVE-2021-1508) that could allow an unauthenticated, remote attacker to execute arbitrary code or achieve entry to delicate information and facts, or permit an authenticated, regional attacker to acquire escalated privileges or attain unauthorized accessibility to the software.
Nikita Abramov and Mikhail Klyuchnikov of Positive Technologies have been credited with reporting the HyperFlex HX, while 4 of the SD-WAN vManage bugs have been identified during inside protection screening, with CVE-2021-1275 uncovered during the resolution of a Cisco Specialized Help Heart (TAC) help situation.
When there is no proof of destructive use of the vulnerabilities in the wild, it truly is suggested that users upgrade to the hottest version to mitigate the threat linked with the flaws.
VMware Fixes Crucial vRealize Company for Cloud Bug
It is really not just Cisco. VMware on Wednesday launched patches to resolve a significant severity flaw in vRealize Organization for Cloud 7.6 that allows unauthenticated attackers to execute malicious code on susceptible servers remotely.
The remote code execution flaw (CVE-2021-21984, CVSS score: 9.8) stems from an unauthorized VAMI endpoint, resulting in a state of affairs that could cause an adversary with community access to operate unauthorized code on the appliance. Impacted consumers can rectify the difficulty by setting up the security patch ISO file.
Vmware credited Egor Dimitrenko of Good Technologies for reporting the vulnerability.