Severity Level: High
CVSS Score: 8.8 based on
Attack Vector (AV): Adjacent
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
The issue affects the following Delphix Releases:
Delphix Engine 126.96.36.199 and 188.8.131.52
Delphix Engine 184.108.40.206 and 220.127.116.11
Delphix Engine 18.104.22.168
This vulnerability requires the Delphix Masking Engine to be running on the Delphix Appliance with TCP port 9011 open.
The Java Management Extensions (JMX) framework is a technology for managing Java applications. An application supporting JMX may be configured to allow connections from either local clients running on the same operating system host or remote clients connecting over a network.
In the affected software releases, a remote attacker can establish a JMX session with the Delphix Masking Engine. The remote attacker may exploit this vulnerability to compromise sessions, execute remote commands, and/or inject malicious code. To perform this targeted attack, the attacker must be able to scan open TCP ports on the Masking Engine, redirect JMX protocol connections using TCP port forwarding on the remote host, and have knowledge of how to manipulate JMX resources.
This vulnerability might expose sensitive data stored or processed by the Masking Engine. For this reason, Delphix highly recommends changing database connector, file connector, and Masking Engine account credentials which may have been compromised due to this vulnerability. It’s a best practice to not share login credentials amongst multiple platforms. If you have passwords shared between a susceptible Delphix Masking Engine and other systems, please be sure to update all such passwords.
Delphix is not aware of any instances of this vulnerability being exploited.
To determine if the masking feature is enabled on a susceptible Delphix Engine:
Use a port scanner to determine if port 9011 is open
Telnet to the Delphix appliance on port 9011. If the connection is not refused, then the port is open.
Use a browser to navigate to port 8282, e.g. http://<ip address or hostname>:8282. If the masking UI appears on a susceptible release version, then the system is vulnerable
If a Delphix Appliance is not being used to perform masking (i.e., the appliance is being used for database virtualization), then the Masking Engine should be turned off. This can be done using the “sysadmin” user’s command line interface (CLI) as shown:
yourhost > system
yourhost > stopMasking
yourhost > commit
yourhost > exit
Further deterrence can be implemented through the use of firewalls or ACLs to block incoming traffic to TCP Port 9011 on the network and to the Delphix Masking Appliance. Port 9011 is not required for the full functionality of the product. This will not interfere with Masking operations or any product functionality.
The issue is fully resolved in our next minor release, 22.214.171.124, which is targeted for release in the later half of June.
For immediate remediation contact Delphix Customer Support to schedule installation of a hotfix.