Cisco has patched another critical vulnerability in its Unified Computing System Performance Manager software.
Cisco UCS Performance Manager is a data center operations management solution that unifies the monitoring of key applications, business services, and integrated infrastructures across dynamic, heterogeneous, physical, and virtual Cisco UCS-powered data centers.
The vulnerability exists in the software’s web framework, and is the result of insufficient input validation performed on parameters that are passed via an HTTP GET request.
“An attacker could exploit this vulnerability by sending crafted HTTP GET requests to an affected system. An exploit could allow the attacker to execute arbitrary commands with the privileges of the root user,” Cisco warns.
There is no indication that the flaw is being exploited by attackers in the wild.
No workarounds are available for addressing this flaw, so admins are advised to upgrade to version 2.0.1 of the software as soon as possible.
The vulnerability was discovered by IT security expert Gregory Draperi, who works for the Adidas Group.
He found a similar one in April, and two more since July 2015. They’ve all been reported to and dutifully patched by Cisco.