Skip to main content
Delphix

TB080 Billion Laughs DoS Vulnerability in Masking and Virtualization Engines

 

 

Alert Type

Security

Impact

FIPS 199 Severity Level: High

CVSS Score: 7.5 

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): L

User Interaction (UI): N

Scope (S): U

Confidentiality (C): H

Integrity (I): N

Availability (A): N

Without logging in, an attacker can inject XML code into both the Masking and Virtualization Engine using REST APIs and cause the CPUs of the VM to become 100% saturated and use all of the Java memory -- thus causing the engines to become unresponsive.

Contributing Factors

Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases
6.0 6.0.0.0, 6.0.1.0, 6.0.2.0, 6.0.2.1

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

5.2

5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1

5.1

5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0

 

Symptoms

All of the Engine's CPUs will become saturated at 100% and Java will increase heap memory consumption up to its 2GB limit. Once the JVM consumes all of the 2GB of heap, the Java Management stack will fail with an out of memory error and will restart. The VDB performance may also be impacted. The reboot will clear the initial attack, and the attack would need to be restarted.

Relief/Workaround

Upgrade to the 6.0.3.1 release of the Virtualization Engine. 

Resolution

This issue is resolved in the Delphix Engine 6.0.3.1 release. All of the XML processing code has been updated to prevent any similar XML External Entity (XXE) attack in the future.

Additional Information

N/A

Related Documents

N/A