Skip to main content
Delphix

TB067 Sensitive Information May Be Present in Phone-Home Data

 

Alert Type

Security

FIPS 199 Severity Level: High

CVSS Score: 8.4 based on

Attack Vector (AV): A

Attack Complexity (AC): L

Privileges Required (PR): L

User Interaction (UI): R

Scope (S): C

Confidentiality (C): H

Integrity (I): H

Availability (A): H

Impact

In certain specific scenarios, sensitive information may be present in the automated support data system known as 'phone home'.

If the Phone Home Service has been enabled, the contents of all API-accessible objects in the Virtualization Engine are collected in phone-home data files and sent to Delphix periodically for support and analytical purposes.

Contributing Factors

The issue may occur when using any version of the Delphix Engine.

Major Release

All Sub Releases

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0 5.3.6.0, 5.3.7.0

5.2

5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1

5.1

5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0

5.0

5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1 ,5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4

4.3

4.3.1.0, 4.3.2.0, 4.3.2.1, 4.3.3.0, 4.3.4.0, 4.3.4.1, 4.3.5.0

4.2

4.2.0.0, 4.2.0.3, 4.2.1.0, 4.2.1.1, 4.2.2.0, 4.2.2.1, 4.2.3.0, 4.2.4.0 , 4.2.5.0, 4.2.5.1

4.1

4.1.0.0, 4.1.2.0, 4.1.3.0, 4.1.3.1, 4.1.3.2, 4.1.4.0, 4.1.5.0, 4.1.6.0

4.0

4.0.0.0, 4.0.0.1, 4.0.1.0, 4.0.2.0, 4.0.3.0, 4.0.4.0, 4.0.5.0, 4.0.6.0, 4.0.6.1

3.2

3.2.0.0, 3.2.1.0, 3.2.2.0, 3.2.2.1, 3.2.3.0, 3.2.4.0, 3.2.4.1, 3.2.4.2, 3.2.5.0, 3.2.5.1, 3.2.6.0, 3.2.7.0, 3.2.7.1

3.1

3.1.0.1, 3.1.1.0, 3.1.2.0,  3.1.2.1, 3.1.3.0 , 3.1.3.1, 3.1.3.2, 3.1.4.0, 3.1.5.0, 3.1.6.0

3.0

3.0.0.3, 3.0.0.4, 3.0.1.0, 3.0.1.1, 3.0.1.2, 3.0.1.3, 3.0.2.0, 3.0.2.1, 3.0.3.0, 3.0.3.1, 3.0.4.0, 3.0.4.1, 3.0.5.0, 3.0.6.0, 3.0.6.1

This vulnerability is triggered if the Phone Home Service is enabled (it is disabled by default) and any of the following conditions are true:

  1. A user includes sensitive data, such as passwords, in non-password fields (note: values in traditional password fields are redacted by default) such as scripts and hooks for database operations for any database type, or

  2. SQL Server RedGate or LiteSpeed password-protected encrypted backups are used for ingestion.

Oracle and ASE database customers who follow industry best practices of not including passwords and other sensitive data in hook scripts are not impacted by this vulnerability.

SQL Server database customers who do not use RedGate or LiteSpeed password-protected encrypted backups and who follow industry best practices of not including passwords and other sensitive data in hook scripts are not impacted by this vulnerability.

Note

Note:

Masking Engines, Masking APIs, and Masking Connectors are not impacted by this vulnerability.

 

Symptoms

 

Sensitive information might be present in phone-home data.

Relief/Workaround

  • Delphix highly recommends following industry best practices of never including passwords and other sensitive data in hook scripts.

  • Delphix highly recommends changing all account passwords placed in non-password fields of API requests.

Resolution

Delphix has updated the upload process to ensure that any sensitive data that are sent to Delphix are immediately redacted, and Delphix has taken the action to redact such data that have already been sent to Delphix.

In addition to the already-in-place process of redacting any sensitive data sent to Delphix, we also plan to update the engines to never send this data.

Related Articles

TB065 Sensitive Information May Be Written to Log Files may provide information related to this article.