Skip to main content
Delphix

TB109 Sysadmin May Be Able to Execute Arbitrary Commands on the Underlying Operating System

  1. Last updated
  2. Save as PDF
 

 

 

Alert Type

Security

Impact

Severity (NVD): High

Delphix CVSS v3.1 Score:  9.0

Delphix CVSS v3.1 Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): H

User Interaction (UI): N

Scope (S): C

Confidentiality (C): H

Integrity (I): H

Availability (A): L

 

A user with Delphix System Administrator (SYSADMIN) privileges may, under certain circumstances, be able to execute arbitrary commands on the underlying operating system. This security bug was discovered internally by Delphix security testing processes.

Exploitation of this vulnerability could result in viewing or tampering with the Delphix configuration data about connected hosts and databases, or the underlying operating system.

Affected Products and Versions

Continuous Data (formerly Virtualization)

Continuous Data has a variety of functional deployments. Depending on the deployment you’re using, the impact may differ.

Configuration

Affected

Continuous Data

Yes

Cloud Engine

Yes

Continuous Vault

Yes

All releases from 6.0.13.0 to 11.0.0.0 (inclusive).

Continuous Compliance (formerly Masking)

All releases from 6.0.13.0 to 11.0.0.0 (inclusive) for the virtual appliance deployment model.

N/A for the containerized deployment model.

Hyperscale Compliance

N/A

Data Control Tower

N/A

Delphix Compliance Services

N/A

Mitigation

Delphix highly recommends upgrading to 12.0.0.0 if an engine is on an affected release. The following mitigation advice is provided in cases where an upgrade is not immediately practical:

Follow common industry good practices around principles of least privilege and privileged access management.

You can take steps to apply standard security good practice to minimize the likelihood of abuse of this vulnerability:

  1. Ensure that the Delphix DevOps DataPlatform is deployed on a controlled access network and only appropriately privileged personnel have access to the network and Delphix Engine management interfaces.

  2. Use IdP users to facilitate separation of duties, least privileges, and auditing. Disable the out-of-the-box generic SYSADMIN account as described in the User Management section of the documentation.

  3. If the built-in SYSADMIN account remains enabled, ensure that the credential is managed under a Privileged Access Management procedure.

Resolution

The issue is resolved in DevOps Data Platform 12.0.0.0 and later releases for Continuous Compliance Engines and Continuous Data Engines.

Additional Information

 

Privacy Policy Terms of Use Legal About
© 2024 Delphix Corp