Skip to main content

 

December 12, 2019 Vulnerability RPD-4310

 

OutSystems

December 12, 2019 Vulnerability RPD-4310

Overview

OutSystems became aware of a vulnerability that, if exploited, may allow an attacker to compromise the Availability and Integrity of the data handled and stored by the OutSystems Platform.

The exploitation of this vulnerability will not compromise the Confidentiality of your data.

OutSystems does not have any indication or reason to believe that this vulnerability has been exploited in the wild.

Technology Stacks

This vulnerability affects all supported platform stacks.

Vulnerability Risk

Base Score: 7.2 (High)

Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

How to Fix On-Premises Installations

OutSystems will release new versions of the platform to address this vulnerability.

OutSystems 10

This vulnerability is fixed for version 10.0.1021.0 and all subsequent versions.

For OutSystems PaaS (Cloud) OutSystems will update all customers to version 10.0.1021.0.

OutSystems 11

The vulnerability is fixed on Release OCT.19 CP6 and version 11.7.2.

For OutSystems PaaS (Cloud) customers OutSystems is going to update customers to the Release OCT.19 CP6.

Workaround

There is no workaround, we strongly advise to update to the above mentioned versions.

More About This Vulnerability

OutSystems will release details about this vulnerability during March 2020.

FAQ 

By exploiting this vulnerability can an attacker access my data?

No. By exploiting this vulnerability an attacker will be able to compromise the integrity and availability of the data but not the confidentiality.

Has this vulnerability been exploited in the wild?

OutSystems does not have any evidence that this vulnerability has been exploited in the wild or that any customer has been affected by it.

What do I need to do?

Update your OutSystems Platform to the above mentioned version that applies.

For Cloud Customers, OutSystems will update the platform for you.

After updating, you will need to do a full factory republish.

Will OutSystems share any more information about this vulnerability?

In order to protect its Customers, OutSystems will not provide any additional information about this vulnerability before March 2020.

Who can I talk to about this?
If you have any questions, contact your Customer Success Manager. If you don’t have a Customer Success Manager contact us via our support channels.