Skip to main content
Delphix

TB046 JMX Port Vulnerability for Delphix Masking

 

 

Alert Type

Security
Severity Level: High
CVSS Score: 8.8 based on


Attack Vector (AV): Adjacent
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

 

Affected Software

The issue affects the following Delphix Releases:

Delphix Engine 5.2.2.0 and 5.2.2.1
Delphix Engine 5.2.3.0 and 5.2.3.1
Delphix Engine 5.2.4.0

Impact

This vulnerability requires the Delphix Masking Engine to be running on the Delphix Appliance with TCP port 9011 open.

The Java Management Extensions (JMX) framework is a technology for managing Java applications. An application supporting JMX may be configured to allow connections from either local clients running on the same operating system host or remote clients connecting over a network.

In the affected software releases, a remote attacker can establish a JMX session with the Delphix Masking Engine. The remote attacker may exploit this vulnerability to compromise sessions, execute remote commands, and/or inject malicious code. To perform this targeted attack, the attacker must be able to scan open TCP ports on the Masking Engine, redirect JMX protocol connections using TCP port forwarding on the remote host, and have knowledge of how to manipulate JMX resources.

This vulnerability might expose sensitive data stored or processed by the Masking Engine. For this reason, Delphix highly recommends changing database connector, file connector, and Masking Engine account credentials which may have been compromised due to this vulnerability. It’s a best practice to not share login credentials amongst multiple platforms. If you have passwords shared between a susceptible Delphix Masking Engine and other systems, please be sure to update all such passwords.

Delphix is not aware of any instances of this vulnerability being exploited.

To determine if the masking feature is enabled on a susceptible Delphix Engine:

  • Use a port scanner to determine if port 9011 is open

  • Telnet to the Delphix appliance on port 9011. If the connection is not refused, then the port is open.

  • Use a browser to navigate to port 8282, e.g. http://<ip address or hostname>:8282. If the masking UI appears on a susceptible release version, then the system is vulnerable

Symptoms

None

Relief/Workaround

If a Delphix Appliance is not being used to perform masking (i.e., the appliance is being used for database virtualization), then the Masking Engine should be turned off. This can be done using the “sysadmin” user’s command line interface (CLI) as shown:

ssh sysadmin@yourhost.example.com
yourhost > system
yourhost > stopMasking
yourhost > commit
yourhost > exit

Further deterrence can be implemented through the use of firewalls or ACLs to block incoming traffic to TCP Port 9011 on the network and to the Delphix Masking Appliance. Port 9011 is not required for the full functionality of the product. This will not interfere with Masking operations or any product functionality.

Resolution

The issue is fully resolved in our next minor release, 5.2.5.0, which is targeted for release in the later half of June.

For immediate remediation contact Delphix Customer Support to schedule installation of a hotfix.