Skip to main content
Delphix

TB077 XSS Vulnerability on the Masking Engine

 

 

Alert Type

Security

Impact

FIPS 199 Severity Level: Critical

CVSS Score: 9.0 based on

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): L

User Interaction (UI): R

Scope (S): C

Confidentiality (C): H

Integrity (I): H

Availability (A): H

 

An attacker that can both authenticate as a masking engine user and is authorized to modify the following objects could inject active code onto the below Masking Engine GUI’s pages:

  • File and database inventory

  • Import copybook using FTP/SFTP/Mount servers

  • Algorithms

  • Custom Algorithms

  • Environments

  • Define Fields (Fixed width and Delimited File Inventory)

  • Import/Upload File UI across application

  • Error report on Monitor Page

  • Export Inventory

When a user views these pages, malicious code will execute with the permissions of the user viewing the page and therefore can perform any actions allowed by the user’s role (e.g., create a new Masking user, edit a Masking connector, et cetera).

Contributing Factors

Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases
6.0 6.0.0.0, 6.0.1.0, 6.0.2.0, 6.0.2.1

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

5.2

5.2.0.0, 5.2.1.0, 5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.3.1, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1, 5.2.6.2

 

Symptoms

These attacks may be detected by reviewing the following for any code fragments (e.g., HTML <script> tags, JavaScript code, et cetera): 

  1. Inventory details can be exported into a CSV file and imported back after modifying the required details like algorithms for multiple fields/columns in a single step. Any column name or field name can contain the code (e.g., HTML <script> tags, JavaScript code, etc.)  in the modified inventory CSV file which can result in attack while importing.

  2. Any copybook name using GET /mainframe-dataset-connectors/{mainframeDatasetConnectorId}/fetch API in case a copybook needs to be imported using FTP/SFTP/Mount connection mode.

  3. Below algorithm properties using GET /algorithms API :

  • Custom Algorithm

    • mappletInput

    • mappletOutput

  • Free Text Redaction Algorithm

    • lookupRedactionValue

    • profileSetRedactionValue

  1. Any field name using GET /file-field-metadata API.

  2. Any fileName using GET /file-metadata.  Note this field may normally contain a filePattern, for example, “./*.txt”. A file pattern uses the regular expression syntax defined by the Java Pattern class. The syntax is documented here. This can be detected in audit logs as well.

  3. Any column name using GET /column-metadata API.

  4. Any table metadata like “keyColumn” using GET /table-metadata API.

  5. Date format attached to the field with date algorithms using GET  /file-field-metadata and GET /mainframe-dataset-field-metadata APIs.

Example

Suppose an item above contains a script tag. When a Masking user accesses this script in the GUI, this script will execute with that user’s permissions. For example, if the script contained logic to add admin user privileges to a non-admin account, and the script was run by an admin, an admin user could be tricked into adding admin user privileges to a non-admin account..

Relief/Workaround

  • At the network layer, IP address allowlisting may be used to limit Delphix appliance access to only approved users.  

  • Customers are strongly recommended to upgrade to 6.0.3.0 or later.

Resolution

This issue is fully resolved in the 6.0.3.0 release.

Additional Information

N/A

Related Documents

The Oracle Java Pattern class syntax is documented here.