Summary of Fixed Security Issues (KBA8547)
KBA
KBA# 8547
Description
The following table summarizes security vulnerabilities already fixed by Delphix in current and past releases. The table only contains vulnerabilities with a Common Vulnerability Scoring System (CVSS1) score of 7.0 or higher.
| Bug Number | Affected Release(s) | Description | Doc Link | Published |
CVSS1 Score |
|
| Introduced | Resolved | |||||
| HM-2568 | 8.0.0 | 14.0.0 | Hyperscale Compliance Deployed in Kubernetes Allows Unauthenticated Access to Hyperscale Compliance APIs | TB112 | 31 Oct 2023 | 8.3 |
| HUBS-2023 | 3.0.1 | 3.0.3 | Delphix Plugin for Jenkins Vulnerable to Credential Enumeration and Capture | TB111 | 9 Oct 2023 | 4.3 & 6.5 |
| DLPX-86715 | 8.0.0.0 | 13.0.0.0 | Cross-Site Scripting (XSS) Vulnerability Provides Access to the Masking Engine API | TB110 | 24 July 2023 | 8.2 |
| DLPX-86329 | 6.0.13.0 | 12.0.0.0 | Sysadmin May Be Able to Execute Arbitrary Commands on the Underlying Operating System | TB109 | 21 Jun 2023 | 9.0 |
| DLPX-84966, DLPX-85414, DLPX-86134, DLPX-86178, DLPX-86196 |
6.0.15.0 | 11.0.0.0 | Upgraded Segment Mapping Algorithms May Leave Values Unmasked | TB108 | 25 May 2023 | 5.0 |
| DLPX-85604, DLPX-85606, DLPX-85608 |
all ≤ 10.0.0.0 | 11.0.0.0 | Executable Javascript Can Be Entered into Self-Service Freeform Text Boxes | TB104 | 25 May 2023 | 8.7 |
| CE-222 | all ≤ 1.1.0.1 | 1.2.0.0 | Source Mongo Instance Password is Visible on the Staging Host in "ps" Output | TB103 | 1 May 2023 | 8.8 |
| DLPX-83043 | 5.2.2.0 | 6.0.16.0 | Weak SSL/TLS Key Exchange for the Delphix Connector | TB099 | 15 Nov 2022 | 7.6 |
| DLPX-81059 | 5.2.2.0 | 6.0.14.0 | Arbitrary Code Execution may be performed when configuring masking environments | TB098 | 20 May 2022 | 8.2 |
| DLPX-79789 | 5.3.0.0 | 6.0.13.0 | Arbitrary Code Execution May Be Performed by Engine System Administrators | TB096 | 10 Mar 2022 | 8.7 |
| DLPX-78743 | see bulletin | 6.0.12.0 | Log4j Vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2019-17571, CVE-2021-4104) | TB095 | 18 Dec 2021 | 10.02 |
| DLPX-77921 | 6.0.8.0 | 6.0.11.0 | Arbitrary Code Execution by Delphix System Administrators may be Performed on Virtualization and Masking Engines | TB094 | 10 Nov 2021 | 8.7 |
| DLPX-74767 | 5.2.0.0 | 6.0.8.0 | jQuery version affected by CVE-2020-11023 (cross-site scripting vulnerability) | TB092 | 17 May 2021 | 7.6 |
| DLPX-74030 | 5.1.3.1 | 6.0.7.0 | Oracle Database Passwords May Be Exposed in Logs and Process Tools | TB089 | 15 Mar 2021 | 8.8 |
| DLPX-73969 DLPX-74001 |
6.0.0.0 | 6.0.6.1 | An Authenticated Delphix User May Be Granted OS-Level Access on Engines Deployed in Azure | TB087 | 2 Feb 2021 | 8.1 |
| DLPX-73338 | 5.2.0.0 | 6.0.6.0 | XSS Vulnerability with Masking Environment Overview Page | TB086 | 21 Jan 2021 | 9.0 |
|
DLPX-72809 |
5.1.3.1 | 6.0.0.0 | libpam Can Cause Buffer Overflow (CVE-2020-27678) | TB085 | 19 Nov 2021 | 10.0 |
| DLPX-72686 | 5.0.1.0 | 6.0.6.0 | Leaked Password when using EBS Plugins, HANA Plugins, or ASE Hooks | TB084 | 21 Jan 2021 | 8.2 |
| DLPX-71432 | 5.2.0.0 | 6.0.4.0 | Non-privileged user may be able to perform certain actions on the Masking Engine | TB083 | 15 Sep 2020 | 8.5 |
| DLPX-71014 | 6.0.1.0 | 6.0.3.0 | Passwordless Login Succeeds to Masking Engine configured for LDAP | TB078 | 3 Aug 2020 | 10.0 |
| DLPX-70299 DLPX-70370 DLPX-69843 DLPX-69844 DLPX-69889 DLPX-70034 DLPX-69916 DLPX-70029 DLPX-70030 DLPX-70033 DLPX-70035 DLPX-70036 |
5.2.0.0 | 6.0.3.0 | XSS Vulnerability on the Masking Engine | TB077 | 3 Aug 2020 | 9.0 |
| DLPX-70089 | 5.1.2.0 | 6.0.3.0 | Billion Laughs DoS Vulnerability in Virtualization Engine | TB080 | 9 Sep 2020 | 7.5 |
| DLPX-69237 | 5.2.0.0 | 6.0.1.1 | XSS Vulnerability on the Masking Mainframe Inventory UI | TB073 | 17 Jul 2020 | 9.0 |
| DLPX-69238 | 6.0.1.0 | 6.0.1.1 | Shuffle Algorithm Leaves Data Unmasked But Reports Success When Used With Extended Connectors | TB072 | 17 Jul 2020 | 8.6 |
| DLPX-68061 | 5.2.0.0 | 6.0.0.0 5.3.8.0 |
XSS Vulnerability on the Masking Rule Set and Inventory Pages | TB069 | 17 Jul 2020 | 9.0 |
| DLPX-67976 | 5.3.2.0 | 6.0.0.0 5.3.8.0 |
XSS Vulnerability on the Masking Audit Page | TB068 | 17 Jul 2020 | 9.6 |
| DLPX-69317 | 5.3.6.0 | 6.0.0.0 5.3.9.1 |
XSS Vulnerability on the Pattern in file ruleset is vulnerable to XSS attack | TB074 | 15 Jul 2020 | 9.0 |
| DLPX-67587 DLPX-67759 |
5.2.0.0 | 6.0.1.0 | In Certain Specific Situations, Sensitive Information May Be Written to Phone-Home Files | TB067 | 7 Jan 2020 | 8.4 |
| DLPX-66141 | 5.2.0.0 | 5.3.6.0 | In Certain Specific Situations, Sensitive Information May Be Written to Log Files | TB065 | 19 Dec 2020 | 7.7 |
| DLPX-65006 DLPX-65011 DLPX-65093 DLPX-65007 DLPX-65010 DLPX-65040 DLPX-65041 |
5.2.1.0 | 5.3.5.0 | Sensitive Information May Be Written to Masking Log Files | TB063 | 16 Jul 2019 | 9.0 |
1 Common Vulnerability Scoring Subsystem (CVSS v3.1, issues published before 2019 scored with CVSS v3.0)
2 See related bulletin. There is no actual vulnerability in most Delphix products.
Related Documents
Common Vulnerability Scoring System (external web page)
Delphix Knowledge Base : Security Bulletins
-
Major Release All Sub Releases 6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0, 6.0.8.1, 6.0.9.0, 6.0.10.0, 6.0.10.1, 6.0.11.0 5.3
5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0 5.2
5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1
5.1
5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0
5.0
5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1, 5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4