Weaknesses in Cisco's HyperFlex hyperconverged data-center gear could allow command-injection exploits. Credit: Getty Images Cisco this week identified two “High” security vulnerabilities in its HyperFlex data-center package that could let attackers gain control of the system. HyperFlex is Cisco’s hyperconverged infrastructure that offers computing, networking and storage resources in a single system. The more critical of the two warnings – an 8.8 on Cisco’s severity scale of 1-10 – is a command-injection vulnerability in the cluster service manager of Cisco HyperFlex Software that could let an unauthenticated, attacker execute commands as the root user. “An attacker could exploit this vulnerability by connecting to the cluster service manager and injecting commands into the bound process,” Cisco wrote in its Security Advisory. Cisco says that the vulnerability is due to insufficient input validation in Cisco HyperFlex software releases prior to 3.5. Such input can impact the control flow or data flow of a program and cause a number of resource control problems. Cisco has released a software update to address this vulnerability and said that there are no other workarounds to address this exposure. The second vulnerability – rated 8.1 on Cisco’s scale – is a snafu in the hxterm service of Cisco HyperFlex Software that could let an attacker connect to the service as a non-privileged, local user. A successful exploit could allow the attacker to gain root access to all member nodes of the HyperFlex cluster in Cisco HyperFlex software releases prior to 3.5, according to the security advisory. Cisco said has released software updates that address both vulnerabilities. Customers can download it from Cisco. Cisco also released three other “Medium” level threats around Hyperflex software having to do with cross-site scripting (XSS), arbitrary data and Graphite service weaknesses. But it offered no workarounds nor patches for those problems. Cisco recently expanded its hyperconverged package with HyperFlex for Branch or Hyperflex 4.0, which will let customers extend the system to branch offices or the edge of a customer network. In other words it moves data-center-class application performance and management to branch offices and remote sites, enabling analytics and intelligent services at the enterprise edge, Cisco said. The Hyperflex vulnerabilities were part of a 17 item dump of Security Advisories and Alerts issued by the company. Related content news Sovereign cloud demand booms in APAC amid geopolitical tensions Global spending on sovereign cloud solutions is expected to surpass $250 billion by 2027, according to IDC. By Gyana Swain Apr 29, 2024 4 mins Cloud Computing news Hitachi Vantara launches unified storage platform Virtual Storage Platform One provides on-premises and cloud storage of both structured and unstructured data. By Andy Patrizio Apr 26, 2024 2 mins Enterprise Storage Data Center analysis Extreme demos AI-based network assistant Extreme AI Expert can answer network questions, troubleshoot operations, and create alerts for conditions such as network degradation or Wi-Fi dead spots. By Michael Cooney Apr 25, 2024 4 mins Network Management Software news Cradlepoint unveils 5G SASE platform for mobile, distributed environments NetCloud SASE integrates cellular SD-WAN and security capabilities into a cloud-based platform to secure and mitigate risk across managed and unmanaged devices. By Denise Dubie Apr 24, 2024 3 mins 5G SASE SD-WAN PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe