NEC CLUSTERPRO X and EXPRESSCLUSTER X OS Command Injection Vulnerability

A command injection vulnerability has been identified in multiple versions of CLUSTERPRO X and EXPRESSCLUSTER X for Linux. This vulnerability allows an attacker to execute arbitrary operating system commands without authentication by sending specially crafted network packets to the application.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of operating system commands, potentially allowing for further system compromise or disruption.

Remediation

Users are advised to update to EXPRESSCLUSTER X 4.3 for Linux (internal version 4.3.4-1) or EXPRESSCLUSTER X 5.3 for Linux (internal version 5.3.0-1) or later. For CLUSTERPRO X, the same update guidance applies. Additionally, a workaround is to enable the firewall and block unnecessary communication, allowing connection requests only from hosts belonging to the cluster for specific ports.