TB098 Arbitrary Code Execution May Be Performed When Configuring Masking Environments
Alert Type
Security
Impact
FIPS 199 Severity Level:
CVSSv3.1 Base Score: 8.2
Attack Vector (AV): L
Attack Complexity (AC): L
Privileges Required (PR): H
User Interaction (UI): N
Scope (S): C
Confidentiality (C): H
Integrity (I): H
Availability (A): H
Under certain conditions, arbitrary code execution may be performed by users with the privilege to configure masking environments within a Continuous Compliance Engine (Masking Engine). Exploitation requires multiple interactive steps by a user with the necessary privileges.
Contributing Factors
This article applies to the following versions of the Continuous Compliance Engine:
Major Release | All Sub Releases |
---|---|
6.0 | 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0, 6.0.8.1, 6.0.9.0, 6.0.10.0, 6.0.10.1, 6.0.11.0, 6.0.12.0, 6.0.12.1, 6.0.13.0, 6.0.13.1 |
5.3 |
5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0 |
5.2 |
5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1 |
Symptoms
Arbitrary code execution.
Relief/Workaround
Customers can take steps to apply standard security good practices to minimize the likelihood of abuse of this vulnerability, including:
-
Limit access to Continuous Compliance Engines (Masking Engines) to authorized personnel
-
Place Continuous Compliance Engines (Masking Engines) on controlled access network segments
Resolution
This issue is resolved in Delphix release 6.0.14.0.
Additional Information
None
Related Documents
None