Skip to main content

 

January 15, 2018 - Vulnerability RPD-2322: PingAddress allows unauthenticated access

 

OutSystems

January 15, 2018 - Vulnerability RPD-2322: PingAddress allows unauthenticated access

Overview

OutSystems has identified a security flaw in one of the Service Center API endpoints.

OutSystems has assessed the impact of this vulnerability for both cloud and on-premises deployments, and across all supported stacks. The information in this communication will allow you to ascertain the level of exposure your systems may have, and how you should proceed to mitigate the threat.

Technology Stacks

This vulnerability affects all supported platform stacks.

How to Fix On-Premises Installations

OutSystems issued new versions for all supported platforms.

The fixes are available from versions 9.1.609.0 and 10.0.603.0 onwards. All clients that have yet to update their platform instances are strongly encouraged to do so.

OutSystems Cloud

OutSystems patched the PaaS infrastructures without upgrading the version and only the customers whose infrastructures could not be patched were notified to upgrade.

 

More About This Vulnerability

This security flaw allows any unauthenticated user with network access to Service Center to use the internal undocumented PingAddress API endpoint to instruct the platform to perform HTTP GET requests to arbitrary addresses. By exploiting this flaw an attacker can use Service Center as a proxy to perform HTTP requests to an arbitrary address, while masking the source IP address. In extreme cases this flaw can crash the application server, causing the platform to be unavailable.

Workaround for On-Premises Customers

As a workaround for on-premises installations, clients can use the Internal Network feature and limit access to Service Center to trusted networks.