Skip to main content
Delphix

TB063 Sensitive Information May Be Written to Masking Log Files

 

 

 

This article applies to the following versions of the Delphix Engine:

Major Release

All Sub Releases

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0

5.2

5.2.1.0, 5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1, 5.2.6.2

Alert Type

 

Security

FIPS 199 Severity Level: High

CVSS Score: 9.0 based on

Attack Vector (AV): N

Attack Complexity (AC): L 

Privileges Required (PR): H

User Interaction (UI): N

Scope (S): C

Confidentiality (C): H 

Integrity (I): H

Availability (A): L 

Impact

This vulnerability impacts Delphix Masking customers using Advanced or Generic Database Connector types and/or Masking APIs features, and may result in the sensitive connector credentials, including username and password, being written to log files in cleartext.

The specific conditions to trigger this vulnerability are either:

  • A database connector is created with connection credentials embedded in the value provided for the JDBC URL field in the Masking UI or jdbc field in the Masking API and a masking or data level profiling job is executed. This is not typical product usage, as credentials are required to be entered in the Login ID and Password fields; any credentials present in the JDBC URL field are not used to authenticate with the database.

  • A malformed Masking API request is made which includes sensitive values - for example, a malformed POST to the database-connectors API endpoint. Malformed requests of this type fail with response code 500 and error "Input does not match the expected structure".

The affected masking logs are debug.log, info.log and warn.log. 

Symptoms

Log messages including sensitive information are present in the log files.

Relief/Workaround

  • Delphix highly recommends changing all passwords for accounts that were subject to this vulnerability.

  • Connection credentials should be placed in the Login ID and Password fields in the Advanced Database Connector UI, and never included in the JDBC URL field.

  • Care should be taken to ensure that Masking API requests which include sensitive values are properly constructed.

Resolution

The issue is resolved in Delphix Engine release 5.3.5.0.

Further, Delphix has implemented an automated process to remove sensitive values introduced into support bundles due to this vulnerability during the upload process. All previously uploaded support bundles have been scrubbed to remove such information. All future uploaded support bundles will be scrubbed to remove sensitive information if it exists. This is in addition to Delphix general policy of deleting support bundles after 30 days, and limiting access to support bundles to credentialed Delphix Support Personnel.


Additional Information

The affected masking logs files - debug.log, info.log and warn.log - are stored on Masking Engine filesystem and included in support bundles generated on the engine. On Delphix Engine 5.3.2.0 and later, these logs may also be retrieved by any customer admin user with Masking API access privileges using the Masking API.

Related Articles

N/A