Skip to main content

TB109 Sysadmin May Be Able to Execute Arbitrary Commands on the Underlying Operating System




Alert Type



Severity (NVD): High

Delphix CVSS v3.1 Score:  9.0

Delphix CVSS v3.1 Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): H

User Interaction (UI): N

Scope (S): C

Confidentiality (C): H

Integrity (I): H

Availability (A): L


A user with Delphix System Administrator (SYSADMIN) privileges may, under certain circumstances, be able to execute arbitrary commands on the underlying operating system. This security bug was discovered internally by Delphix security testing processes.

Exploitation of this vulnerability could result in viewing or tampering with the Delphix configuration data about connected hosts and databases, or the underlying operating system.

Affected Products and Versions

Continuous Data (formerly Virtualization)

Continuous Data has a variety of functional deployments. Depending on the deployment you’re using, the impact may differ.



Continuous Data


Cloud Engine


Continuous Vault


All releases from to (inclusive).

Continuous Compliance (formerly Masking)

All releases from to (inclusive) for the virtual appliance deployment model.

N/A for the containerized deployment model.

Hyperscale Compliance


Data Control Tower


Delphix Compliance Services



Delphix highly recommends upgrading to if an engine is on an affected release. The following mitigation advice is provided in cases where an upgrade is not immediately practical:

Follow common industry good practices around principles of least privilege and privileged access management.

You can take steps to apply standard security good practice to minimize the likelihood of abuse of this vulnerability:

  1. Ensure that the Delphix DevOps DataPlatform is deployed on a controlled access network and only appropriately privileged personnel have access to the network and Delphix Engine management interfaces.

  2. Use IdP users to facilitate separation of duties, least privileges, and auditing. Disable the out-of-the-box generic SYSADMIN account as described in the User Management section of the documentation.

  3. If the built-in SYSADMIN account remains enabled, ensure that the credential is managed under a Privileged Access Management procedure.


The issue is resolved in DevOps Data Platform and later releases for Continuous Compliance Engines and Continuous Data Engines.

Additional Information