TB052 Vulnerability When Masking Excel and XML Files Via SFTP or FTP

Affected Software

The issue affects the following Delphix Releases with Masking service enabled where Excel documents are masked over SFTP or FTP using password-based authentication (rather than an SSH Key):

Description

This vulnerability impacts Delphix Masking customers who are accessing Excel or XML documents over either (a) FTP or (b) SFTP using password-based authentication (rather than an SSH Key). The Masking Engine's log files may contain messages with cleartext passwords for Excel or XML SFTP and FTP connectors. These messages may be written to the debug.log, error.log, info.log, user.log, warn.log or the job logs, depending on the exact scenario. The debug.log, error.log, user.log, and warn.log files can only be accessed via an OS login to the masking engine, which is not possible by customers. The user.log and a job log is accessed through the Masking GUI.

Impact

Username and password are shown in clear text in application log files for masking jobs accessing Excel or XML documents over either (a) FTP or (b) SFTP using password-based authentication (rather than an SSH Key).

Relief/Workaround

• Delphix highly recommends changing all passwords for accounts that were subject to this vulnerability.

• Customers should run Excel and/or XML file masking jobs using SFTP connection mode using Public Key Authentication to avoid clear text password in the application debug.log files.

Resolution

This issue is fully resolved in Delphix release 5.3.2.0.

Additional Information

Support Bundles collected on affected versions will contain the affected log debug.log files and therefore should be protected when stored or transmitted. Delphix has implemented an automated process to remove these passwords during the upload process. In addition to this, all previously uploaded support bundles have been scrubbed to remove information