Skip to main content
Delphix

TB108 Upgraded Segment Mapping Algorithms May Leave Values Unmasked

  1. Last updated
  2. Save as PDF
 

 

 

Alert Type

Security

Impact

Severity (NVD): Medium

Delphix CVSS v3.1 Score:  5.0

Delphix CVSS v3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): L

User Interaction (UI): N

Scope (S): C

Confidentiality (C): L

Integrity (I): N

Availability (A): N

 

Delphix Continuous Compliance versions from 6.0.15.0 to 10 unintentionally changed the behavior of some Segment Mapping instances. Specifically, Segment Mapping instances that previously masked both letters and digits might mask only digits, or only letters, potentially resulting in data being unexpectedly and silently left unmasked.

In order to be affected by this issue, a Continuous Compliance engine must:

  1. Be running versions 6.0.15.0 through 10

  2. Be using one or more Segment Mapping algorithm instances; these algorithm instances will have their Framework listed as SM in the Settings>Algorithm screen

  3. The configuration for these Segment Mapping instances must have been created on version 6.0.14.0 or earlier, or imported using engine sync from an engine running version 6.0.14.0 or earlier

Affected Products and Versions

This article applies to the following versions of the Delphix engine:

Continuous Data (formerly Virtualization)

The Delphix Appliance can take on one of several configurations. This table indicates affected configurations:

 

Affected Configuration
N/A Continuous Data
N/A Cloud Engine
N/A Continuous Vault

Select Connectors

N/A

Continuous Compliance (formerly Masking)

All releases from 6.0.15.0 to 10.0 (inclusive).

Containerized Masking

All releases from 6.0.15.0 to 10.0 (inclusive).

Hyperscale Compliance

N/A

Data Control Tower

N/A

Delphix Compliance Services

N/A

Mitigation

None

Resolution

This issue is resolved by upgrading to DevOps Data Platform 11.0.0.0 for Continuous Compliance Engines. If you cannot upgrade to 11.0.0.0 directly, then they should upgrade to 6.0.14.0 first and then upgrade directly to 11.0.0.0.

After upgrading to to DevOps Data Platform 11.0.0.0 for Continuous Compliance Engines, re-mask any data that was masked using Segment Mapping algorithms.

Additional Information

Identifying Affected Segment Mapping Instances

To determine if a Segment Mapping algorithm instance is affected, inspect the Segment Mapping alpha-numeric segments: 

  • In the API, look at segments with "segmentType": "MASK_ALPHANUMERIC".

  • In the UI, look at algorithm instances with Framework listed as SM with Segment Treatment “Mask alpha-numeric”. The box following “If original values are:” is “inputValues” and the box following “Replace values with:” is “maskValues”.

 

Alpha-numeric segments with “inputValues” or “maskValues” that only contain digits or only letters are affected. If both “inputValues” and “maskValues” are null or empty string (“”) in the API, or blank in the UI, everything is masked and this is not an affected configuration.

1.png

undefined

Figure 1. inputValues is blank, implying 0-9,A-Z. maskValues needs letter(s).

Figure 2. If only A should be masked, 1 should be removed from maskValues. Otherwise, inputValues needs digit(s).

undefined

undefined

Figure 3. This is a valid configuration to only mask digits 0-4. If letters should be masked, add letter(s) to inputValues and maskValues.

Figure 4. This is a valid configuration to only mask A-Z. If digits should be masked, add digit(s) to inputValues.

 

inputValues and maskValues Configuration Options

The documented behavior of the Segment Mapping algorithm is to only mask what is configured in “inputValues” to values configured in “maskValues”. In 6.0.14.0 and earlier releases, the Segment Mapping algorithm masked values that were not explicitly specified. This undocumented behavior was removed in the 6.0.15.0 release. For compatibility with the previous behavior, Continuous Compliance 11 updates Segment Mapping algorithm configurations by adding values to the “inputValues” and “maskValues” of alpha-numeric segments. This process is only performed once to algorithms that exist during upgrade.

Segment Mapping algorithms created after upgrade to 11 will continue to require “inputValues” and “maskValues” to be configured with explicit values or null, which implies “0-9,A-Z”.

If an algorithm was created to deliberately only mask digits or only mask letters, edit the algorithm after upgrade to remove the values added by this change.

Impact on Engine Synchronization

Segment Mapping algorithms exported using Engine Synchronization from Continuous Compliance 6.0.14.0, and earlier, and then imported using Engine Synchronization to Continuous Compliance 11 or later, are not impacted.

Affected Segment Mapping algorithms exported using Engine Synchronization from Continuous Compliance 6.0.15.0 - 10 are not automatically fixed on import into 11 and will need to be manually reconfigured.

Behavior on Release 10

Engines with Segment Mapping algorithm instances should not upgrade to any affected release. Release 10 is subject to an additional issue in that existing valid Segment Mapping configurations could result in failures or errors. This additional issue is fixed in 11.

Related Documents

N/A

 

 

Privacy Policy Terms of Use Legal About
© 2024 Delphix Corp