Cisco HyperFlex web interface has critical flaw that lets attackers get root and execute arbitrary commands

You know the drill: shake your head in disbelief, then figure out if patching will wipe out a weekend or be merely inconvenient


Cisco has revealed a pair of critical bugs in its HyperFlex hyperconverged infrastructure product.

CVE-2021-1497 impacts the HyperFlex HX Installer Virtual Machine and means an unauthenticated, remote attacker could perform a command injection attack on a web management console that gives them root access and allows them to execute arbitrary commands on an affected device.

CVE-2021-1498 also allows an attacker to use command injection on the management interface, with login as the tomcat8 user. Again, execution of arbitrary commands is on offer.

Cisco’s advisory gives the same explanation for both flaws:

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface.

CVE-2021-1497 is rated 9.8 on the ten-point Common Vulnerability Scoring System. CVE-2021-1498 is a mere 7.3.

HyperFlex versions pre-4.0, 4.0, and 4.5 are all impacted by one or both flaws. Migration to a patched version of the software is the fix.

Cisco suggests HyperFlex as multi-hypervisor converged infrastructure that can run in the mightiest data centre or weirdest edge location. The HX VM is used to install and manage VMs, so the flaws have enormous potential for a miscreant to go on a rampage.

Thankfully, Cisco says it’s not seen the flaws exploited in the wild. Nikita Abramov and Mikhail Klyuchnikov of Positive Technologies reported the vulnerabilities. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021