OutSystems became aware of a vulnerability that, if exploited, may allow an attacker to compromise the Availability and Integrity of the data handled and stored by the OutSystems Platform.
The exploitation of this vulnerability will not compromise the confidentiality of your data.
OutSystems does not have any indication or reason to believe that this vulnerability has been exploited in the wild.
This vulnerability affects all supported platform stacks.
Base Score: 7.6 (High)
Vector String: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:L
How to Fix On-Premises Installations
OutSystems will release new versions of the platform to address this vulnerability.
This vulnerability is fixed for version 10.0.1016.0 and all subsequent versions.
For OutSystems PaaS (Cloud), we will update all customers to version 10.0.1020.0.
The vulnerability is fixed on Release OCT.19 CP4 and all subsequent versions.
For OutSystems PaaS (Cloud) customers OutSystems is going to update customers to the Release OCT.19 CP5.
There is no workaround, we strongly advise to update to the above-mentioned versions.
More About This Vulnerability
This vulnerability resides in the mechanism used by the OutSystems Platform to validate developer permissions. By exploiting this vulnerability, a Developer with the “Reuse & Monitor” role is able to use the advanced query feature of Service Studio to corrupt or delete the data in the database.
By exploiting this vulnerability can an attacker access my data?
No. By exploiting this vulnerability an attacker will be able to compromise the integrity and availability of the data but not the confidentiality.
Has this vulnerability been exploited in the wild?
OutSystems does not have any evidence that this vulnerability has been exploited in the wild or that any customer has been affected by it.
What do I need to do?
Update your OutSystems Platform to the above-mentioned version that applies.
For Cloud Customers, OutSystems will update the platform for you.
After updating, you will need to do a full factory republish.
Will OutSystems share any more information about this vulnerability?
In order to protect its Customers, OutSystems will not provide any additional information about this vulnerability before March 2020.
Who can I talk to about this?
If you have any questions, contact your Customer Success Manager. If you don’t have a Customer Success Manager contact us via our support channels.