Networking devices significant Cisco has rolled out software updates to tackle several critical vulnerabilities impacting HyperFlex HX and SD-WAN vManage Software program that could permit an attacker to perform command injection attacks, execute arbitrary code, and achieve entry to delicate data.
In a collection of advisories posted on May possibly 5, the corporation explained there are no workarounds that remediate the issues.
The HyperFlex HX command injection vulnerabilities, tracked as CVE-2021-1497 and CVE-2021-1498 (CVSS scores 9.8), have an impact on all Cisco equipment working HyperFlex HX computer software variations 4., 4.5, and individuals prior to 4.. Arising because of to inadequate validation of consumer-provided enter in the web-based management interface of Cisco HyperFlex HX Knowledge Platform, the flaws could enable an unauthenticated, distant attacker to execute a command injection attack towards a vulnerable machine.
“An attacker could exploit this vulnerability by sending a crafted ask for to the web-dependent administration interface,” the company explained in its notify. “A successful exploit could make it possible for the attacker to execute arbitrary commands” possibly as a root or tomcat8 consumer.
Cisco also squashed five glitches impacting SD-WAN vManage Computer software (CVE-2021-1275, CVE-2021-1468, CVE-2021-1505, CVE-2021-1506, and CVE-2021-1508) that could permit an unauthenticated, distant attacker to execute arbitrary code or gain entry to delicate info, or make it possible for an authenticated, area attacker to attain escalated privileges or achieve unauthorized accessibility to the software.
Nikita Abramov and Mikhail Klyuchnikov of Beneficial Systems have been credited with reporting the HyperFlex HX, whereas 4 of the SD-WAN vManage bugs have been discovered for the duration of inside security tests, with CVE-2021-1275 uncovered throughout the resolution of a Cisco Technical Aid Heart (TAC) help circumstance.
When there is no evidence of malicious use of the vulnerabilities in the wild, it truly is recommended that buyers improve to the most recent variation to mitigate the risk affiliated with the flaws.
VMware Fixes Critical vRealize Small business for Cloud Bug
It can be not just Cisco. VMware on Wednesday introduced patches to fix a critical severity flaw in vRealize Organization for Cloud 7.6 that allows unauthenticated attackers to execute malicious code on vulnerable servers remotely.
The remote code execution flaw (CVE-2021-21984, CVSS rating: 9.8) stems from an unauthorized VAMI endpoint, ensuing in a state of affairs that could trigger an adversary with network access to operate unauthorized code on the appliance. Influenced shoppers can rectify the issue by installing the security patch ISO file.
Vmware credited Egor Dimitrenko of Good Technologies for reporting the vulnerability.
Identified this report appealing? Observe THN on Fb, Twitter and LinkedIn to study much more exceptional content material we submit.
Some pieces of this write-up are sourced from: