Skip to main content

2019-05-14 - Security Issue - ServiceCenter and Lifetime authentication bypass

OutSystems

2019-05-14 - Security Issue - ServiceCenter and Lifetime authentication bypass

Overview

In February 2019, OutSystems became aware of a vulnerability in ServiceCenter and Lifetime. Using the CVSS 3.0 scoring system, OutSystems has assessed the impact and risk of this vulnerability for cloud and on-premises platform deployments across all supported stacks and classified it accordingly.

You can use the information in this communication to ascertain the level of exposure to your systems and determine how you should proceed to mitigate the threat.

Technology Stacks

This vulnerability affects all supported platform stacks.

Vulnerability Risk

This vulnerability affects all supported platform stacks.

Base Score: 7.1 (High)

Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

How to Fix On-Premises Installations

OutSystems issued new versions of the platform that address this vulnerability.

OutSystems 10

This vulnerability is fixed for version 10.0.1005.2 and all subsequent versions.

For OutSystems PaaS (Cloud) customers we’ve applied the security fix for 10.0.1005.1 and all subsequent versions.

OutSystems 11

The vulnerability is fixed for version 11.0.212.0 and all subsequent versions.

For OutSystems PaaS (Cloud) customers we've applied the security fix to all O11 versions.

All customers who have yet to update their platform instances are strongly encouraged to do so.
 

OutSystems Cloud

OutSystems notified cloud customers and updated or applied a patch to all supported cloud infrastructures.

The environments were patched without the need for a platform server version update. 

Workaround for On-Premises Customers

A platform upgrade is strongly advised. If you do not have the opportunity to upgrade, we advise you to restrict access to ServiceCenter and Lifetime to only trusted IPs. by enabling the Internal Network capabilities.

More About This Vulnerability

Some ServiceCenter and Lifetime pages were not properly protected from unauthenticated access, which means that an attacker could access certain parameters or mobile application compilation configuration.