Skip to main content
Delphix

Vulnerabilities in Bash, Iperf and 7-Zip Do Not Affect Delphix Customers (KBA7284)

 

KBA

KBA# 7284

Issue

The host toolkits deployed to database hosts by previous versions of the Delphix virtualization engine may include versions of bash, iperf and 7-Zip that are subject to known vulnerabilities. However, the Delphix engine and the host toolkits are not affected by these vulnerabilities. Nevertheless, in accordance with the Delphix vulnerability management policy, these software binaries were updated to versions not affected by these vulnerabilities in the Delphix 6.0.7.0 and 6.0.8.0 releases.

bash

Before version 6.0.7.0, Delphix deployed a version of bash to Unix/Linux database hosts that was subject to CVE-2014-6271 and its follow-up CVE-2014-7169. These privilege-escalation vulnerabilities allow remote attackers to execute arbitrary commands on target systems that use bash internally. However, from the Delphix engine, the ability to execute arbitrary commands via dataset hooks as environment users on the remote host is already explicitly granted to Delphix users to whom administrators have issued authorizations to manage datasets and their hooks. Therefore, this vulnerability does not allow users to perform any actions they are not already authorized to perform.

iperf

Before version 6.0.8.0 for AIX and HP-UX, and before 6.0.7.0 for all other operating systems, Delphix deployed a version of iperf to Unix/Linux database hosts that was subject to CVE-2016-4303. This vulnerability allows attackers to execute arbitrary commands via special characters in JSON strings. However, the Delphix engine does not pass any user-originated input to iperf.

7-Zip

Before version 6.0.8.0, Delphix deployed a version of 7-Zip to Windows database hosts that was subject to CVE-2018-10115. This vulnerability allows attackers to execute arbitrary commands via specially-crafted RAR files. However, the Delphix engine does not use the RAR format and it does not pass any user-originated files to 7-Zip.

Applicable Delphix Versions

Delphix 6.0.6.1 and prior, which deployed affected versions of bash and iperf to Unix/Linux database hosts.

Delphix 6.0.7.0 and prior, which deployed an affected version of 7-zip to Windows database hosts.

 
 
 
Major Release All Sub Releases
6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

5.2

5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1

5.1

5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0

5.0

5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1, 5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4

Resolution

No action is needed. The Delphix engine and connected database hosts are not affected by these vulnerabilities. Nevertheless, unaffected versions of these binaries are now deployed by the Delphix virtualization engine.

 

 

Related Articles

The following articles may provide more information or related information to this article: