What is Cisco HyperFlex HX Data Platform?
Cisco HyperFlex is Cisco's hyperconverged infrastructure (HCI) platform for enterprise data centers, integrating compute, storage, and networking managed by the HX Data Platform software layer. The HX Data Platform runs on each node in a HyperFlex cluster and exposes a web management API used for cluster administration, node monitoring, and configuration management. Unlike the Installer VM (used only during initial setup), the HX Data Platform management interface is a persistent service that remains running throughout the cluster's operational lifetime. See also CVE-2021-1497 for the companion vulnerability in the HyperFlex Installer VM that achieves root code execution.
Overview
CVE-2021-1498 is an OS command injection vulnerability (CWE-78) in the web-based management service of the Cisco HyperFlex HX Data Platform. The management API accepts parameters for cluster configuration and health monitoring that are passed to OS commands without proper input sanitization. An unauthenticated remote attacker can inject arbitrary OS commands via malformed API requests, achieving code execution as the tomcat8 user on the affected node. This vulnerability was addressed in the same Cisco Security Advisory as CVE-2021-1497 (cisco-sa-hyperflex-rce-TjjNrkpR). While CVE-2021-1498 runs as tomcat8 rather than root, the tomcat service account typically has extensive access to HyperFlex cluster data and can be leveraged for further privilege escalation.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| HyperFlex HX Data Platform 4.0(x) | Yes | 4.0(2b) |
| HyperFlex HX Data Platform 4.5(x) | Yes | 4.5(1a) |
| HyperFlex HX Data Platform 3.5(x) and earlier | Yes | See Cisco advisory |
Technical Details
The HyperFlex HX Data Platform exposes a web management API (served by Apache Tomcat) for cluster administration. API endpoints that handle cluster configuration and management tasks pass user-supplied parameters to OS-level commands:
- Root cause: OS command injection (CWE-78) — the Data Platform web service passes user-supplied parameters to shell commands without filtering shell metacharacters
- Injection vector: Crafted API POST requests containing shell metacharacters in parameter values trigger execution of attacker-specified commands
- Authentication required: None — the API endpoints are accessible without authentication in the vulnerable versions
- Execution context: Commands execute as the
tomcat8user (the Apache Tomcat web server process account), not root - Distinction from CVE-2021-1497: This vulnerability targets the persistent HX Data Platform management service rather than the temporary Installer VM; it executes as
tomcat8rather than root, but the Data Platform API service has broader access to cluster state than the Installer VM - Post-exploitation potential: The
tomcat8account has access to HyperFlex cluster configuration files, credentials, and cluster API tokens that can be used for privilege escalation to cluster administrator access
Discovery
Reported to Cisco by external security researchers alongside CVE-2021-1497. Cisco PSIRT coordinated disclosure and released patches in May 2021 addressing both vulnerabilities simultaneously.
Exploitation Context
The HyperFlex HX Data Platform management interface is a persistent attack surface on all deployed HyperFlex nodes. Unlike the Installer VM (which can be powered off after setup), the Data Platform interface is required for ongoing cluster management. Organizations that expose HyperFlex management interfaces to untrusted networks are vulnerable. Access via tomcat8 provides sufficient footing to read cluster configuration, harvest credentials stored in configuration files, and interact with the HyperFlex REST API to affect cluster operations.
Remediation
- Apply patches per Cisco Security Advisory cisco-sa-hyperflex-rce-TjjNrkpR — update HyperFlex HX Data Platform to 4.0(2b), 4.5(1a), or later
- Restrict network access to HyperFlex management interfaces to authorized administrator workstations only — use firewall ACLs or network segmentation
- The HyperFlex management API should never be accessible from the open internet or untrusted network segments
- Review HyperFlex API access logs for unexpected requests containing shell metacharacters or abnormal parameter values
- Audit cluster configuration files and credentials after patching to determine whether sensitive data was accessed
- Rotate HyperFlex administrative credentials, vCenter service account credentials, and any secrets stored in cluster configuration files
- Apply this patch in conjunction with the fix for the companion CVE-2021-1497 (Installer VM root RCE) — both are addressed in the same advisory
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-1498 |
| Vendor / Product | Cisco — HyperFlex HX |
| NVD Published | 2021-05-06 |
| NVD Last Modified | 2025-10-28 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-78 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-05-05 | Cisco releases patches for CVE-2021-1497 and CVE-2021-1498; Cisco Security Advisory cisco-sa-hyperflex-rce-TjjNrkpR published |
| 2021-05-06 | CVE published |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Cisco Security Advisory cisco-sa-hyperflex-rce-TjjNrkpR | Vendor Advisory |
| NVD — CVE-2021-1498 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |