FIPS 199 Severity Level: High
CVSS Score: 7.5
Attack Vector (AV): N
Attack Complexity (AC): L
Privileges Required (PR): L
User Interaction (UI): N
Scope (S): U
Confidentiality (C): H
Integrity (I): N
Availability (A): N
Without logging in, an attacker can inject XML code into both the Masking and Virtualization Engine using REST APIs and cause the CPUs of the VM to become 100% saturated and use all of the Java memory -- thus causing the engines to become unresponsive.
- Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases 6.0 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52
184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52
184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11
18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168
All of the Engine's CPUs will become saturated at 100% and Java will increase heap memory consumption up to its 2GB limit. Once the JVM consumes all of the 2GB of heap, the Java Management stack will fail with an out of memory error and will restart. The VDB performance may also be impacted. The reboot will clear the initial attack, and the attack would need to be restarted.
Upgrade to the 22.214.171.124 release of the Virtualization Engine.
This issue is resolved in the Delphix Engine 126.96.36.199 release. All of the XML processing code has been updated to prevent any similar XML External Entity (XXE) attack in the future.