Skip to main content
Delphix

TB073 XSS Vulnerability on the Masking Mainframe Inventory UI

 

 

Alert Type

Security

Impact

FIPS 199 Severity Level: Critical

CVSS Score: 9.0 based on

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): L

User Interaction (UI): R

Scope (S): C

Confidentiality (C): H

Integrity (I): H

Availability (A): H

 

An attacker could inject active code onto the Masking Engine GUI’s Mainframe Inventory pages. When a user views these pages, the attacker’s code will execute with the permissions of the user viewing the page and therefore can perform any actions allowed by the user’s role (e.g., create a new Masking user, edit a Masking connector, etc.).

Contributing Factors

The issue may occur when using any of the below versions of the Delphix Masking Engine:

Major Release All Sub Releases

6.0

6.0.0.0, 6.0.1.0

6.0.0.0, 6.0.1.0

5.3.8.1, 5.3.8.0, 5.3.7.1, 5.3.7.0, 5.3.6.0, 5.3.5.0, 5.3.4.0, 5.3.3.1, 5.3.3.0, 5.3.2.0, 5.3.1.2, 5.3.1.1, 5.3.1.0, 5.3.0.3, 5.3.0.2, 5.3.0.1, 5.3.3.0

5.2 5.2.6.2, 5.2.6.1, 5.2.6.0, 5.2.5.1, 5.2.5.0, 5.2.4.0, 5.2.3.1, 5.2.3.0, 5.2.2.1, 5.2.2.0, 5.2.1.0, 5.2.0.0

Symptoms

This attack may be detected by viewing the table/file/data set name and column/field names using Masking API endpoint: GET /mainframe-dataset-rulesets. Any names containing code (e.g., HTML <script> tags, JavaScript code, etc.) indicate an attack. 

Example: 

If the API response contains a script tag such as, <script>deleteUser()</script>, then, when accessed through the GUI, this script will execute with the permissions of the logged in user. In this example, engine users would be deleted.

Relief/Workaround

  • At the network layer, IP address allowlisting may be used to limit Delphix appliance access to only approved users.  

  • Customers are strongly recommended to upgrade to 5.3.9.0 or 6.0.1.1 or later.

Resolution

This issue is resolved in releases 5.3.9.0 and in 6.0.1.1.

Additional Information

N/A