This article applies to the following versions of the Delphix Engine:
All Sub Releases
188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124
126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11
FIPS 199 Severity Level: High
CVSS Score: 9.0 based on
Attack Vector (AV): N
Attack Complexity (AC): L
Privileges Required (PR): H
User Interaction (UI): N
Scope (S): C
Confidentiality (C): H
Integrity (I): H
Availability (A): L
This vulnerability impacts Delphix Masking customers using Advanced or Generic Database Connector types and/or Masking APIs features, and may result in the sensitive connector credentials, including username and password, being written to log files in cleartext.
The specific conditions to trigger this vulnerability are either:
A database connector is created with connection credentials embedded in the value provided for the JDBC URL field in the Masking UI or jdbc field in the Masking API and a masking or data level profiling job is executed. This is not typical product usage, as credentials are required to be entered in the Login ID and Password fields; any credentials present in the JDBC URL field are not used to authenticate with the database.
A malformed Masking API request is made which includes sensitive values - for example, a malformed POST to the database-connectors API endpoint. Malformed requests of this type fail with response code 500 and error "Input does not match the expected structure".
The affected masking logs are debug.log, info.log and warn.log.
Log messages including sensitive information are present in the log files.
Delphix highly recommends changing all passwords for accounts that were subject to this vulnerability.
Connection credentials should be placed in the Login ID and Password fields in the Advanced Database Connector UI, and never included in the JDBC URL field.
Care should be taken to ensure that Masking API requests which include sensitive values are properly constructed.
The issue is resolved in Delphix Engine release 18.104.22.168.
Further, Delphix has implemented an automated process to remove sensitive values introduced into support bundles due to this vulnerability during the upload process. All previously uploaded support bundles have been scrubbed to remove such information. All future uploaded support bundles will be scrubbed to remove sensitive information if it exists. This is in addition to Delphix general policy of deleting support bundles after 30 days, and limiting access to support bundles to credentialed Delphix Support Personnel.
The affected masking logs files - debug.log, info.log and warn.log - are stored on Masking Engine filesystem and included in support bundles generated on the engine. On Delphix Engine 22.214.171.124 and later, these logs may also be retrieved by any customer admin user with Masking API access privileges using the Masking API.