Skip to main content
Delphix

TB057 Java Attach API Enabled on AIX Systems Vulnerability

 

 

 

This article applies to the following versions of the Delphix Engine -- Virtualization only:

Major Release

All Sub Releases

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2

5.2

5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1, 5.2.6.2

5.1

5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0

5.0

5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1 ,5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4, 5.0.5.5

4.3

4.3.1.0, 4.3.2.0, 4.3.2.1, 4.3.3.0, 4.3.4.0, 4.3.4.1, 4.3.5.0, 4.3.5.1

4.2

4.2.0.0, 4.2.0.3, 4.2.1.0, 4.2.1.1, 4.2.2.0, 4.2.2.1, 4.2.3.0, 4.2.4.0 , 4.2.5.0, 4.2.5.1

4.1

4.1.0.0, 4.1.2.0, 4.1.3.0, 4.1.3.1, 4.1.3.2, 4.1.4.0, 4.1.5.0, 4.1.6.0

4.0

4.0.0.0, 4.0.0.1, 4.0.1.0, 4.0.2.0, 4.0.3.0, 4.0.4.0, 4.0.5.0, 4.0.6.0, 4.0.6.1

3.2

3.2.0.0, 3.2.1.0, 3.2.2.0, 3.2.2.1, 3.2.3.0, 3.2.4.0, 3.2.4.1, 3.2.4.2, 3.2.5.0, 3.2.5.1, 3.2.6.0, 3.2.7.0, 3.2.7.1

3.1

3.1.0.1, 3.1.1.0, 3.1.2.0,  3.1.2.1, 3.1.3.0 , 3.1.3.1, 3.1.3.2, 3.1.4.0, 3.1.5.0, 3.1.6.0, 3.1.6.1

3.0

3.0.0.3, 3.0.0.4, 3.0.1.0, 3.0.1.1, 3.0.1.2, 3.0.1.3, 3.0.2.0, 3.0.2.1, 3.0.3.0, 3.0.3.1, 3.0.4.0, 3.0.4.1, 3.0.5.0, 3.0.6.0, 3.0.6.1

2.7 2.7.0.0, 2.7.1.0, 2.7.1.1, 2.7.1.2, 2.7.2.0, 2.7.3.0, 2.7.3.1, 2.7.4.0, 2.7.5.0, 2.7.5.1, 2.7.5.2, 2.7.6.0, 2.7.7.0

Alert Type

 

Security

Severity Level: High

Delphix CVSS Score: 7.8 based on

Attack Vector (AV): Local

Attack Complexity (AC): Low

Privileges Required (PR): Low

User Interaction (UI): None

Scope (S): Unchanged

Confidentiality (C): High

Integrity (I): High

Availability (A): High

Impact

The Delphix Engine includes JVMs that are pushed out to source and target hosts outside of the Engine itself. The version of the JVM that Delphix includes for AIX hosts has Attach API enabled by default. As reported in CVE-2018-12539, the Attach API may allow users other than the process owner to use Java Attach API to connect to an AIX JVM on the same machine and run Attach API operations, which includes the ability to execute untrusted native code.

Delphix is not aware of any instances of this vulnerability being exploited.

Contributing Factors

This issue only impacts source/target hosts running AIX with this vulnerable JVM installed.

Relief/Workaround

Limit local user access only to trusted administrators on the affected AIX hosts until the fix has been deployed.

Resolution

This issue will be fully resolved in the Delphix Engine 5.3.2.0 release.


Additional Information

None