TB112 Hyperscale Compliance Deployed in Kubernetes Allows Unauthenticated Access to Hyperscale Compliance APIs
Alert Type
Security
Impact
Severity (NVD): High
Delphix CVSS v3.1 Score: 8.3
Delphix CVSS v3.1 Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Attack Vector (AV): A
Attack Complexity (AC): L
Privileges Required (PR): N
User Interaction (UI): N
Scope (S): U
Confidentiality (C): H
Integrity (I): H
Availability (A): L
A vulnerability has been identified when Delphix Hyperscale Compliance is deployed with Kubernetes which allows unauthenticated access to the Hyperscale Compliance APIs.
This exploitation doesn’t require the attacker to have any specific privileges to the targeted API action. The Hyperscale Compliance APIs can be exploited by an attacker with adjacent network access by making an unauthenticated API call, allowing the execution of malicious actions or the abuse of the legitimate functionality of Hyperscale Compliance.
Affected Products and Versions
This article applies to the following products and versions, with the following clarifications:
- “supported releases” includes releases in Extended Support.
-
releases that are out of support are not checked for vulnerability applicability.
Hyperscale Compliance
Hyperscale Compliance releases 8.0.0 to 13.0.0 deployed in Kubernetes with no modifications to the out-of-the-box configuration file.
Affected |
Configuration |
---|---|
8.0.0 to 13.0.0 |
Kubernetes |
N/A |
Docker Compose |
Continuous Data (formerly Virtualization)
Continuous Data has a variety of functional deployments. Depending on the deployment you’re using, the impact may differ.
Affected |
Configuration |
---|---|
N/A |
Continuous Data |
N/A |
Cloud Engine |
N/A |
Continuous Vault |
Continuous Compliance (formerly Masking)
N/A
Data Control Tower
N/A
Delphix Compliance Services
N/A
Mitigation
None
Resolution
This issue is fully resolved in the Hyperscale Compliance 14.0.0 release and later releases.
Additional Information
-
N/A