Skip to main content
Delphix

KBA1364 Delphix Users May Bypass Some Access Controls

 

 

 

Alert Type

Security

Impact

Delphix domain users and system users may use the SFTP service to access the Delphix Engine. When using this service, authenticated users may download system and data files that they would not otherwise be permitted to access, possibly compromising confidentiality of end-user data stored on the Delphix Engine. 

Delphix domain users and system users could use the same mechanism to upload new files to the appliance that may interfere with normal operation of the appliance. However, uploading of new files cannot lead to the compromise of end-user data integrity.

Contributing Factors

The issue occurs in the following Delphix Releases:

  • Delphix Engine 3.0.0.3 and Delphix Engine 3.0.0.4
  • Delphix Engine 3.0.1.0, Delphix Engine 3.0.1.1, Delphix Engine 3.0.1.2, and Delphix 3.0.1.3
  • Delphix Engine 3.0.2.0 and Delphix Engine 3.0.2.1
  • Delphix Engine 3.0.3.0 and Delphix Engine 3.0.3.1
  • Delphix Engine 3.0.4.0 and Delphix Engine 3.0.4.1
  • Delphix Engine 3.0.5.0
  • Delphix Engine 3.1.0.1, and Delphix Engine 3.1.1.0
  • Delphix Engine 3.1.2.0

Symptoms

None

Relief/Workaround

The impact of the issue may be mitigated by disabling one or more Delphix user accounts and/or changing the password on existing accounts. The issue cannot be exploited by persons other than those with valid credentials to access the Delphix Engine. 

Resolution

The issue is addressed in Delphix Engine 3.0.6.0, Delphix Engine 3.1.2.1, and later releases.