TB057 Java Attach API Enabled on AIX Systems Vulnerability
This article applies to the following versions of the Delphix Engine -- Virtualization only:
Major Release |
All Sub Releases |
5.3 |
5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2 |
5.2 |
5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1, 5.2.6.2 |
5.1 |
5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0 |
5.0 |
5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1 ,5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4, 5.0.5.5 |
4.3 |
4.3.1.0, 4.3.2.0, 4.3.2.1, 4.3.3.0, 4.3.4.0, 4.3.4.1, 4.3.5.0, 4.3.5.1 |
4.2 |
4.2.0.0, 4.2.0.3, 4.2.1.0, 4.2.1.1, 4.2.2.0, 4.2.2.1, 4.2.3.0, 4.2.4.0 , 4.2.5.0, 4.2.5.1 |
4.1 |
4.1.0.0, 4.1.2.0, 4.1.3.0, 4.1.3.1, 4.1.3.2, 4.1.4.0, 4.1.5.0, 4.1.6.0 |
4.0 |
4.0.0.0, 4.0.0.1, 4.0.1.0, 4.0.2.0, 4.0.3.0, 4.0.4.0, 4.0.5.0, 4.0.6.0, 4.0.6.1 |
3.2 |
3.2.0.0, 3.2.1.0, 3.2.2.0, 3.2.2.1, 3.2.3.0, 3.2.4.0, 3.2.4.1, 3.2.4.2, 3.2.5.0, 3.2.5.1, 3.2.6.0, 3.2.7.0, 3.2.7.1 |
3.1 |
3.1.0.1, 3.1.1.0, 3.1.2.0, 3.1.2.1, 3.1.3.0 , 3.1.3.1, 3.1.3.2, 3.1.4.0, 3.1.5.0, 3.1.6.0, 3.1.6.1 |
3.0 |
3.0.0.3, 3.0.0.4, 3.0.1.0, 3.0.1.1, 3.0.1.2, 3.0.1.3, 3.0.2.0, 3.0.2.1, 3.0.3.0, 3.0.3.1, 3.0.4.0, 3.0.4.1, 3.0.5.0, 3.0.6.0, 3.0.6.1 |
2.7 | 2.7.0.0, 2.7.1.0, 2.7.1.1, 2.7.1.2, 2.7.2.0, 2.7.3.0, 2.7.3.1, 2.7.4.0, 2.7.5.0, 2.7.5.1, 2.7.5.2, 2.7.6.0, 2.7.7.0 |
Alert Type
Security
Severity Level: High
Delphix CVSS Score: 7.8 based on
Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Impact
The Delphix Engine includes JVMs that are pushed out to source and target hosts outside of the Engine itself. The version of the JVM that Delphix includes for AIX hosts has Attach API enabled by default. As reported in CVE-2018-12539, the Attach API may allow users other than the process owner to use Java Attach API to connect to an AIX JVM on the same machine and run Attach API operations, which includes the ability to execute untrusted native code.
Delphix is not aware of any instances of this vulnerability being exploited.
Contributing Factors
This issue only impacts source/target hosts running AIX with this vulnerable JVM installed.
Relief/Workaround
Limit local user access only to trusted administrators on the affected AIX hosts until the fix has been deployed.
Resolution
This issue will be fully resolved in the Delphix Engine 5.3.2.0 release.
Additional Information
None