The host toolkits deployed to database hosts by previous versions of the Delphix virtualization engine may include versions of bash, iperf and 7-Zip that are subject to known vulnerabilities. However, the Delphix engine and the host toolkits are not affected by these vulnerabilities. Nevertheless, in accordance with the Delphix vulnerability management policy, these software binaries were updated to versions not affected by these vulnerabilities in the Delphix 188.8.131.52 and 184.108.40.206 releases.
Before version 220.127.116.11, Delphix deployed a version of bash to Unix/Linux database hosts that was subject to CVE-2014-6271 and its follow-up CVE-2014-7169. These privilege-escalation vulnerabilities allow remote attackers to execute arbitrary commands on target systems that use bash internally. However, from the Delphix engine, the ability to execute arbitrary commands via dataset hooks as environment users on the remote host is already explicitly granted to Delphix users to whom administrators have issued authorizations to manage datasets and their hooks. Therefore, this vulnerability does not allow users to perform any actions they are not already authorized to perform.
Before version 18.104.22.168 for AIX and HP-UX, and before 22.214.171.124 for all other operating systems, Delphix deployed a version of iperf to Unix/Linux database hosts that was subject to CVE-2016-4303. This vulnerability allows attackers to execute arbitrary commands via special characters in JSON strings. However, the Delphix engine does not pass any user-originated input to iperf.
Before version 126.96.36.199, Delphix deployed a version of 7-Zip to Windows database hosts that was subject to CVE-2018-10115. This vulnerability allows attackers to execute arbitrary commands via specially-crafted RAR files. However, the Delphix engine does not use the RAR format and it does not pass any user-originated files to 7-Zip.
Applicable Delphix Versions
Delphix 188.8.131.52 and prior, which deployed affected versions of bash and iperf to Unix/Linux database hosts.
Delphix 184.108.40.206 and prior, which deployed an affected version of 7-zip to Windows database hosts.
Major Release All Sub Releases 6.0 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168
22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168
22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199
188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52
184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168
No action is needed. The Delphix engine and connected database hosts are not affected by these vulnerabilities. Nevertheless, unaffected versions of these binaries are now deployed by the Delphix virtualization engine.