Skip to main content
Delphix

TB072 Shuffle Algorithm Leaves Data Unmasked But Reports Success When Used With Extended Connectors

 

 

Alert Type

Security

Impact

FIPS 199 Severity Level: Critical

CVSS Score: 8.6 based on

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): N

User Interaction (UI): N

Scope (S): C

Confidentiality (C): H

Integrity (I): N

Availability (A): N

 

An attacker could successfully associate PII data from a column within a table with the original row/key.  This occurs in a job that was reported as successfully masked by the Delphix masking engine when the job run is using the shuffle algorithm and an extended connector (first shipped in 6.0.1.0).  

 

The shuffle algorithm works differently than other algorithms which aim to redact or mask individual items. Rather, the shuffle algorithm redistributes all the values of a column such that the same elements exist, but in new, different rows. 

 

Pre-shuffle example - unmasked data

ID Data column - obscured by shuffle algorithm Zip Code
001 Jane 15221
002 John 26011
003 Ann 12345

 

Post-shuffle example:  (data moved to a new location relative to the key / other information in the row.  Note that Jane can no longer be associated with her original zip code.

ID Data column - obscured by shuffle algorithm Zip Code
001 John 15221
002 Ann 26011
003 Jane 12345

 

The anomalous behavior associated with this security bulletin is that the algorithm is not moving the data and hence the PII information that was being shuffled is still associated with the original row/key. 

Contributing Factors

The issue may occur when using the following sub release version of the Delphix Masking Engine:

 

Major Release Sub Release
6.0 6.0.1.0

Symptoms

Data in a database table’s column which is being masked by the shuffle algorithm using an extended connector to connect to the database is not being moved to a different position within the table’s column.  

Relief/Workaround

  • Customers can use any algorithm other than shuffle to work around this vulnerability.

  • Customers are strongly recommended to upgrade to 6.0.1.1 or later

Resolution

This issue is resolved in the 6.0.1.1 release.

Additional Information

N/A

Related Documents

N/A