OutSystems became aware of a vulnerability that, if exploited, may allow an attacker to compromise the confidentiality, integrity, and availability of a development workstation.
Base Score: 7.9 (High)
Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
To understand the phases involved in the process, how, and when we communicate, check this article. This vulnerability is currently on the embargo phase.
- Embargo phase: This vulnerability was first communicated to all customers on January 20, 2021.
- Public disclosure: Full details on this vulnerability were published on 7 April, 2021.
A vulnerability was found in Integrated Studio where the connection responsible for downloading an upgrade package was being performed via insecure transport (HTTP), making it prone to spoofing that same package. Such could be leveraged for workstation infection.
Components & stacks
This vulnerability affects all OutSystems 11 Integration Studio versions.
Protecting your OutSystems installation
OutSystems issued release Development Environment 11.8.4 that addresses this vulnerability. All customers who have yet to update Integration Studio are strongly encouraged to do so.
There is no workaround, we strongly advise you to update to the above mentioned versions.
|By exploiting this vulnerability can an attacker access my data?||Yes. By exploiting this vulnerability, an attacker will have access to data stored in your workstation.|
|What do I need to do?||Update your OutSystems Development Environment to the above-mentioned version.|
|Who can I talk to about this?||If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.|