TB074 Pattern in File Ruleset is Vulnerable to XSS Attack

Impact

FIPS 199 Severity Level: Critical

CVSS Score: 9.0 based on

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): L

User Interaction (UI): R

Scope (S): C

Confidentiality (C): H

Integrity (I): H

Availability (A): H

 

An attacker could inject active code onto the Masking Engine GUI’s Create Rule Set page, into the “Pattern Field”.  This vulnerability exists for all File Type Rule Sets (mainframe and delimited), but not for Database Rule Sets. When a user selects the infected rule set on the inventory page, the attacker’s code will execute with the permissions of the user viewing the page and therefore can perform any actions allowed by the user’s role (e.g., create a new Masking user, edit a Masking connector, et cetera).

Contributing Factors

The issue may occur when using any of the below versions of the Delphix Masking Engine:

Major Release	All Sub Releases
5.3	5.3.8.1, 5.3.8.0, 5.3.7.1, 5.3.7.0, 5.3.6.0

Symptoms

This attack may be detected by viewing the file/mainframe dataset metadata fileName field using the Masking API endpoints: GET /file-metadata and GET /mainframe-dataset-rulesets. Any fileName field containing code (e.g., HTML <script> tags, JavaScript code, et cetera) indicates an attack.  Note this field may normally contain a filePattern, for example, “./*.txt”. A file pattern uses the regular expression syntax defined by the Java Pattern class. The syntax is documented here.

Relief/Workaround

• At the network layer, IP address allowlisting may be used to limit Delphix appliance access to only approved users.  

• Customers are strongly recommended to upgrade to 5.3.9.0 or 6.0.0.0 or later.

Related Documents

TB073 XSS Vulnerability on the Masking Mainframe Inventory UI