Weaknesses in Cisco's HyperFlex hyperconverged data-center gear could allow command-injection exploits. Credit: Getty Images Cisco this week identified two “High” security vulnerabilities in its HyperFlex data-center package that could let attackers gain control of the system. HyperFlex is Cisco’s hyperconverged infrastructure that offers computing, networking and storage resources in a single system. The more critical of the two warnings – an 8.8 on Cisco’s severity scale of 1-10 – is a command-injection vulnerability in the cluster service manager of Cisco HyperFlex Software that could let an unauthenticated, attacker execute commands as the root user. “An attacker could exploit this vulnerability by connecting to the cluster service manager and injecting commands into the bound process,” Cisco wrote in its Security Advisory. Cisco says that the vulnerability is due to insufficient input validation in Cisco HyperFlex software releases prior to 3.5. Such input can impact the control flow or data flow of a program and cause a number of resource control problems. Cisco has released a software update to address this vulnerability and said that there are no other workarounds to address this exposure. The second vulnerability – rated 8.1 on Cisco’s scale – is a snafu in the hxterm service of Cisco HyperFlex Software that could let an attacker connect to the service as a non-privileged, local user. A successful exploit could allow the attacker to gain root access to all member nodes of the HyperFlex cluster in Cisco HyperFlex software releases prior to 3.5, according to the security advisory. Cisco said has released software updates that address both vulnerabilities. Customers can download it from Cisco. Cisco also released three other “Medium” level threats around Hyperflex software having to do with cross-site scripting (XSS), arbitrary data and Graphite service weaknesses. But it offered no workarounds nor patches for those problems. Cisco recently expanded its hyperconverged package with HyperFlex for Branch or Hyperflex 4.0, which will let customers extend the system to branch offices or the edge of a customer network. In other words it moves data-center-class application performance and management to branch offices and remote sites, enabling analytics and intelligent services at the enterprise edge, Cisco said. The Hyperflex vulnerabilities were part of a 17 item dump of Security Advisories and Alerts issued by the company. Related content how-to Doing tricks on the Linux command line Linux tricks can make even the more complicated Linux commands easier, more fun and more rewarding. By Sandra Henry-Stocker Dec 08, 2023 5 mins Linux news TSMC bets on AI chips for revival of growth in semiconductor demand Executives at the chip manufacturer are still optimistic about the revenue potential of AI, as Nvidia and its partners say new GPUs have a lead time of up to 52 weeks. By Sam Reynolds Dec 08, 2023 3 mins CPUs and Processors CPUs and Processors Technology Industry news End of road for VMware’s end-user computing and security units: Broadcom Broadcom is refocusing VMWare on creating private and hybrid cloud environments for large enterprises and divesting its non-core assets. By Sam Reynolds Dec 08, 2023 3 mins Mergers and Acquisitions Industry news analysis IBM cloud service aims to deliver secure, multicloud connectivity IBM Hybrid Cloud Mesh is a multicloud networking service that includes IT discovery, security, monitoring and traffic-engineering capabilities. By Michael Cooney Dec 07, 2023 3 mins Network Security Network Security Network Security Podcasts Videos Resources Events NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe