Skip to main content

 

October 31, 2018 Vulnerability RPD-3384: Database Image Endpoint Vulnerability

 

OutSystems

October 31, 2018 Vulnerability RPD-3384: Database Image Endpoint Vulnerability

Overview

On July 2018, OutSystems became aware of a vulnerability present on an endpoint used to retrieve images from the database more precisely,  _image\aspx.cs on .NET stacks and _image.java on Java stacks.

OutSystems has assessed the impact and risk of this vulnerability for both cloud and on-premises deployments across all supported stacks and classified it accordingly using the CVSS 3.0 scoring system.

The information in this communication will allow you to ascertain the level of exposure your systems may have, and how you should proceed to mitigate the threat.

 

Technology Stacks

This vulnerability affects all supported platform stacks.

 

Vulnerability Risk

Base Score: 8.7 (High)

Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

 

How to Fix On-Premises Installations

OutSystems issued new versions of the platform that address this vulnerability.

The fixes are available from version 10.0.828.0 onwards.

Exceptionally, OutSystems also produced a fix for version 9.1 of the platform. The version containing the fix is 9.1.616.0.

All clients that have yet to update their platform instances are strongly encouraged to do so.

 

OutSystems Cloud

OutSystems notified cloud customers and updated all cloud infrastructures to version 10.0.828.0 or higher.

 

More About This Vulnerability

This vulnerability is present when a module uses an Image Widget fetching images from an Entity with an Integer or Long Integer identifier. Entities with Text identifiers are not affected by this vulnerability.

In this situation, it is possible for an unauthenticated attacker to inject a SQL query into the generated image endpoint and retrieve any data from the database.

 

The following System Components are installed by OutSystems by default and contain a vulnerable endpoint:

  • ServiceCenter

  • ECT_Provider

  • LifeTime (not present in all environments)

 

Workaround for On-Premises Customers

A Platform upgrade is strongly advised.

If you do not have the opportunity to upgrade, we advise you to use the OutSystem’s Zones feature to not deploy any vulnerable System Component in publicly facing websites. This option is not available on the OutSystems Cloud.