This article applies to the following versions of the Delphix Virtualization Engine:
All Sub Releases
18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11
18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11
FIPS 199 Severity Level: High
CVSS Score: 7.7 based on
Attack Vector (AV): N
Attack Complexity (AC): L
Privileges Required (PR): L
User Interaction (UI): N
Scope (S): C
Confidentiality (C): H
Integrity (I): N
Availability (A): N
In certain specific scenarios, log messages including sensitive information may be present in the Delphix Virtualization Engine log files.
The JSON body of each HTTP POST request issued via the User Interface, Command Line or directly via the API endpoints, is logged in internal access logs, which are then included in support bundles provided to Delphix. Sensitive information such as passwords and encryption keys in certain scenarios were not redacted in these logs.
This vulnerability is triggered if an administrator submits a support bundle to Delphix and any of the following conditions are true:
A user includes sensitive data, such as passwords, in non-password fields such as scripts and hooks for database operations for any database type, or
SQL Server RedGate or LiteSpeed password protected encrypted backups are used for ingestion, or
DB2, HANA, EBS or Postgres plugin-based support are used.
Oracle and ASE databases customers who follow industry best practices of not including passwords and other sensitive data in hook scripts are not impacted by this vulnerability.
SQL Server databases customers who do not use RedGate or LiteSpeed password protected encrypted backups and who follow industry best practices of not including passwords and other sensitive data in hook scripts are not impacted by this vulnerability.
Log messages including sensitive information might be present in the Delphix Virtualization Engine log files.
Customers who ingest SQL Server RedGate or LiteSpeed password protected encrypted backups may be impacted.
Customers using plugin-based databases such as DB2, EBS, HANA, and Postgres may be impacted. Sensitive data, such as database passwords, are usually embedded in JSON documents which are not redacted in the internal access log supplied to Delphix support.
Delphix highly recommends following industry best practices of never including passwords and other sensitive data in hook scripts.
Delphix highly recommends changing all account passwords placed in non-password fields of API requests.
This issue is fully resolved in release 18.104.22.168 of the Delphix Engine.
Further, Delphix is implementing an automated process to remove sensitive values introduced into support bundles due to this vulnerability during the upload process. All previously uploaded support bundles will be scrubbed to remove such information. All future uploaded support bundles will be scrubbed to remove sensitive information if it exists. This is in addition to Delphix's general policy of deleting support bundles after 30 days and limiting access to support bundles to credentialed Delphix Support Personnel.