OutSystems has identified a security flaw in one of the Service Center API endpoints.
OutSystems has assessed the impact of this vulnerability for both cloud and on-premises deployments, and across all supported stacks. The information in this communication will allow you to ascertain the level of exposure your systems may have, and how you should proceed to mitigate the threat.
This vulnerability affects all supported platform stacks.
How to Fix On-Premises Installations
OutSystems issued new versions for all supported platforms.
The fixes are available from versions 9.1.609.0 and 10.0.603.0 onwards. All clients that have yet to update their platform instances are strongly encouraged to do so.
OutSystems patched the PaaS infrastructures without upgrading the version and only the customers whose infrastructures could not be patched were notified to upgrade.
More About This Vulnerability
This security flaw allows any unauthenticated user with network access to Service Center to use the internal undocumented PingAddress API endpoint to instruct the platform to perform HTTP GET requests to arbitrary addresses. By exploiting this flaw an attacker can use Service Center as a proxy to perform HTTP requests to an arbitrary address, while masking the source IP address. In extreme cases this flaw can crash the application server, causing the platform to be unavailable.
Workaround for On-Premises Customers
As a workaround for on-premises installations, clients can use the Internal Network feature and limit access to Service Center to trusted networks.