Networking gear main Cisco has rolled out software program updates to handle a number of crucial vulnerabilities impacting HyperFlex HX and SD-WAN vManage Software program that might permit an attacker to carry out command injection assaults, execute arbitrary code, and acquire entry to delicate data.
In a collection of advisories revealed on Might 5, the corporate stated there are not any workarounds that remediate the problems.
The HyperFlex HX command injection vulnerabilities, tracked as CVE-2021-1497 and CVE-2021-1498 (CVSS scores 9.8), have an effect on all Cisco gadgets operating HyperFlex HX software program variations 4.0, 4.5, and people previous to 4.0. Arising attributable to inadequate validation of user-supplied enter within the web-based administration interface of Cisco HyperFlex HX Knowledge Platform, the issues might allow an unauthenticated, distant attacker to carry out a command injection assault towards a susceptible system.
“An attacker might exploit this vulnerability by sending a crafted request to the web-based administration interface,” the corporate said in its alert. “A profitable exploit might permit the attacker to execute arbitrary instructions” both as a root or tomcat8 person.
Cisco additionally squashed five glitches affecting SD-WAN vManage Software program (CVE-2021-1275, CVE-2021-1468, CVE-2021-1505, CVE-2021-1506, and CVE-2021-1508) that might allow an unauthenticated, distant attacker to execute arbitrary code or acquire entry to delicate data, or permit an authenticated, native attacker to achieve escalated privileges or acquire unauthorized entry to the applying.
Nikita Abramov and Mikhail Klyuchnikov of Constructive Applied sciences have been credited with reporting the HyperFlex HX, whereas 4 of the SD-WAN vManage bugs had been recognized throughout inside safety testing, with CVE-2021-1275 uncovered in the course of the decision of a Cisco Technical Help Heart (TAC) assist case.
Whereas there is no such thing as a proof of malicious use of the vulnerabilities within the wild, it is really useful that customers improve to the most recent model to mitigate the chance related to the issues.
VMware Fixes Important vRealize Enterprise for Cloud Bug
It isn’t simply Cisco. VMware on Wednesday launched patches to repair a critical severity flaw in vRealize Enterprise for Cloud 7.6 that allows unauthenticated attackers to execute malicious code on susceptible servers remotely.
The distant code execution flaw (CVE-2021-21984, CVSS rating: 9.8) stems from an unauthorized VAMI endpoint, leading to a state of affairs that might trigger an adversary with community entry to run unauthorized code on the equipment. Affected clients can rectify the problem by installing the safety patch ISO file.
Vmware credited Egor Dimitrenko of Constructive Applied sciences for reporting the vulnerability.