Vulnerability RICT-2855
Overview
OutSystems became aware of a vulnerability that, if exploited, may allow an attacker to compromise the integrity, and availability of a development workstation.
Vulnerability risk
Base Score: 8.2 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L
Communication
To understand the phases involved in the process, how, and when we communicate, check this article. This vulnerability is currently on the embargo phase.
- Embargo phase: This vulnerability was first published on December 2, 2020.
- Public disclosure: Full details on this vulnerability were disclosed on March 3, 2021.
Vulnerability details
This vulnerability resides on the Integration Studio extension verification capability. An attacker capable of performing a MitM attack between the developer and a server could downgrade the connection and have the developer download and execute a malicious payload in the workstation.
Components and stacks
This vulnerability affects all Integration Studio 11 versions.
Protecting your OutSystems installation
OutSystems issued release Development Environment 11.9.1 that addresses this vulnerability. All developers who have yet to update their Development Environment are strongly encouraged to do so.
This vulnerability doesn't affect Integration Studio installed on the Platform Server and therefore, the only necessary action is for developers to update their own Development Environment to the latest release.
Workaround
There is no workaround, we strongly advise you to update to the above mentioned versions.
FAQs
Question | Answer |
---|---|
By exploiting this vulnerability can an attacker access my data? | Yes. By exploiting this vulnerability, an attacker will, in time, have access to data stored in your workstation. |
What do I need to do? | Update your OutSystems Development Environment to the above-mentioned version. |
Who can I talk to about this? | If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels. |