OutSystems issued a security update that resolves a vulnerability when using LDAP Authentication with OutSystems Platform running on Java.
The vulnerability causes Service Center and Lifetime to accept empty passwords as valid. If Service Center is configured to authenticate against LDAP using LDAPAuthProvider this allows attackers to authenticate with any user without a password.
OutSystems Applications do not accept empty passwords by default on interactive user logins. You may be at risk if you're using basic authentication in REST web services, or in code where your application doesn't check the size of the password passed to the User_Login action.
The problem happens because of a specificity in LDAP authentication. When using an empty password when authenticating against an LDAP server, there is no error, which the OutSystems Platform was expecting to determine if authentication failed. The fix follows best-practices in LDAP authentication verification and simply does not allow empty passwords to be specified.
How it affects platform stacks
This does not affect .NET customers.
This affects Java customers up to and including 126.96.36.199, 188.8.131.52, and 9.1.501.0 .
Service Center and LifeTime are not affected in the OutSystems Cloud. Customers in the Java stack should check their applications for usage of LDAP Authentication.
HIGH. It's possible to authenticate with privileged users (admin) without a password.
Action items for customers
Java customers using LDAPAuthProvider should immediately apply the quick fix below, as the vulnerability allows attackers to authenticate with ANY user in ServiceCenter. Customers who are unsure if they are affected should also apply the fix, as it has no side-effects.
Apply this quick fix to immediately address the vulnerability.
The quick fix is delivered as an extension and is valid for all Maintenance Updates within the supported OutSystems Platform major versions.
To download the quick fix, choose your OutSystems major version from the list below:
To apply the quick fix, follow these steps, in each of your environments:
- Publish the extension in Service Center
- Republish an "all content" solution
What OutSystems is doing
OutSystems produced the quick fix described above, which you should apply to immediately resolve the vulnerability.
OutSystems will also include this quick fix in the next Maintenance Updates of the OutSystems Platform, scheduled for the following dates:
- 8.0 - September 16
- 9.0 - July 29
- 9.1 - August 12