Skip to main content

TB108 Upgraded Segment Mapping Algorithms May Leave Values Unmasked




Alert Type



Severity (NVD): Medium

Delphix CVSS v3.1 Score:  5.0

Delphix CVSS v3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): L

User Interaction (UI): N

Scope (S): C

Confidentiality (C): L

Integrity (I): N

Availability (A): N


Delphix Continuous Compliance versions from to 10 unintentionally changed the behavior of some Segment Mapping instances. Specifically, Segment Mapping instances that previously masked both letters and digits might mask only digits, or only letters, potentially resulting in data being unexpectedly and silently left unmasked.

In order to be affected by this issue, a Continuous Compliance engine must:

  1. Be running versions through 10

  2. Be using one or more Segment Mapping algorithm instances; these algorithm instances will have their Framework listed as SM in the Settings>Algorithm screen

  3. The configuration for these Segment Mapping instances must have been created on version or earlier, or imported using engine sync from an engine running version or earlier

Affected Products and Versions

This article applies to the following versions of the Delphix engine:

Continuous Data (formerly Virtualization)

The Delphix Appliance can take on one of several configurations. This table indicates affected configurations:


Affected Configuration
N/A Continuous Data
N/A Cloud Engine
N/A Continuous Vault

Select Connectors


Continuous Compliance (formerly Masking)

All releases from to 10.0 (inclusive).

Containerized Masking

All releases from to 10.0 (inclusive).

Hyperscale Compliance


Data Control Tower


Delphix Compliance Services





Customers should upgrade to 11. If they cannot upgrade to 11 directly, then they should upgrade to first and then upgrade directly to 11.

After upgrading to release 11, customers using Segment Mapping algorithms are advised to re-mask any data.

Additional Information

Identifying Affected Segment Mapping Instances

To determine if a Segment Mapping algorithm instance is affected, inspect the Segment Mapping alpha-numeric segments: 

  • In the API, look at segments with "segmentType": "MASK_ALPHANUMERIC".

  • In the UI, look at algorithm instances with Framework listed as SM with Segment Treatment “Mask alpha-numeric”. The box following “If original values are:” is “inputValues” and the box following “Replace values with:” is “maskValues”.


Alpha-numeric segments with “inputValues” or “maskValues” that only contain digits or only letters are affected. If both “inputValues” and “maskValues” are null or empty string (“”) in the API, or blank in the UI, everything is masked and this is not an affected configuration.



Figure 1. inputValues is blank, implying 0-9,A-Z. maskValues needs letter(s).

Figure 2. If only A should be masked, 1 should be removed from maskValues. Otherwise, inputValues needs digit(s).



Figure 3. This is a valid configuration to only mask digits 0-4. If letters should be masked, add letter(s) to inputValues and maskValues.

Figure 4. This is a valid configuration to only mask A-Z. If digits should be masked, add digit(s) to inputValues.


inputValues and maskValues Configuration Options

The documented behavior of the Segment Mapping algorithm is to only mask what is configured in “inputValues” to values configured in “maskValues”. In and earlier releases, the Segment Mapping algorithm masked values that were not explicitly specified. This undocumented behavior was removed in the release. For compatibility with the previous behavior, Continuous Compliance 11 updates Segment Mapping algorithm configurations by adding values to the “inputValues” and “maskValues” of alpha-numeric segments. This process is only performed once to algorithms that exist during upgrade.

Segment Mapping algorithms created after upgrade to 11 will continue to require “inputValues” and “maskValues” to be configured with explicit values or null, which implies “0-9,A-Z”.

If an algorithm was created to deliberately only mask digits or only mask letters, edit the algorithm after upgrade to remove the values added by this change.

Impact on Engine Synchronization

Segment Mapping algorithms exported using Engine Synchronization from Continuous Compliance, and earlier, and then imported using Engine Synchronization to Continuous Compliance 11 or later, are not impacted.

Affected Segment Mapping algorithms exported using Engine Synchronization from Continuous Compliance - 10 are not automatically fixed on import into 11 and will need to be manually reconfigured.

Behavior on Release 10

Engines with Segment Mapping algorithm instances should not upgrade to any affected release. Release 10 is subject to an additional issue in that existing valid Segment Mapping configurations could result in failures or errors. This additional issue is fixed in 11.

Related Documents