TB089 Oracle Database Passwords May Be Exposed in Logs and Process Tools

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Alert Type

Security

Impact

FIPS 199 Severity Level: High

CVSS Score: 8.8

Attack Vector (AV): L

Attack Complexity (AC): L

Privileges Required (PR): L

User Interaction (UI): N

Scope (S): C

Confidentiality (C): H

Integrity (I): H

Availability (A): H

A Delphix engine may pass database passwords in plaintext as command-line arguments to the Oracle sqlplus executable used by the Delphix Virtualization Engine with Oracle sources. In rare circumstances this may result in passwords being visible to other users of the affected source environment(s) in real-time, for example by using standard process tools like “ps”.

Additionally, on Delphix 6.0.6.X releases, these passwords can be recorded to log files which are then visible to other users of the affected systems.

The end result of this exposure is that database passwords used by Delphix for accessing Oracle databases may be compromised to unauthorized individuals.

The exposure is limited to individuals with authenticated login session access to the affected source and target servers or with access to the affected log files for those systems.

Contributing Factors

Click here to view the versions of the Delphix engine to which this article applies

Major Release	All Sub Releases
6.0	6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1
5.3	5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0
5.2	5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1, 5.2.6.2
5.1	5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0

This issue can only occur when using one or more Oracle data sources in the Delphix Virtualization Engine.

The incidental capture and recording of plaintext passwords in client-side logs by the environment monitor only occurs in the Delphix 6.0.6.X releases.

Delphix Masking Engines are not impacted by the issue.

Symptoms

For 6.0.6.X releases only: log messages which include database credentials may be present in the log files on source and target hosts found in the Delphix toolkit directory. The toolkit directory is specified when the environment is first added to the Delphix engine. The log files themselves are found in the <toolkit_dir>/Delphix_*_host/log/connectordirectory.

The toolkit directory path for an existing environment can be found in the GUI on the Details tab for the selected environment:

From an affected host, you can determine the location of the log directory as follows:

$ cd <toolkit directory>

$ find . -name connector

./Delphix_9160f83438b0_03d36ab70cb0_1_host/log/connector

$ ls ./Delphix_9160f83438b0_03d36ab70cb0_1_host/log/connector

debug.log error.log info.log stderr.log stdout.log trace.log

Relief/Workaround

Complete all of the following steps to resolve this issue.

Upgrade to version 6.0.7.0 of the Delphix Engine.*
Remove any impacted logs on the target hosts (6.0.6.X releases only).
Change any password credentials that may have been exposed and update the credentials through the Delphix Admin App.
Refresh the associated Oracle environment(s) from the Delphix Admin App.

* Customers already running 6.0.X.X releases can perform a Self-Service upgrade. Other customers should create a Delphix Support case for upgrade assistance.

Resolution

This issue is resolved in the Delphix 6.0.7.0 release. Once running the 6.0.7.0 release, credentials will no longer be passed as command-line arguments or captured in diagnostic logs; however, prior logs still affected by the problem could persist (see Relief/Workaround).

Additional Information

N/A