OutSystems became aware of a vulnerability that, if exploited, may allow an attacker to compromise the confidentiality, availability, and integrity of the data handled and stored by the OutSystems Platform.
OutSystems does not have any indication or reason to believe that this vulnerability has been exploited in the wild.
This vulnerability affects all supported Platform stacks.
To understand the phases involved in the process, how and when we communicate, check this article.
- Embargo phase: This vulnerability was first communicated to all customers on January 15, 2018
- Public disclosure: Full details on this vulnerability were disclosed.
A security flaw was identified in one of the Service Center API endpoints. It allows any unauthenticated user with network access to Service Center to use the internal undocumented PingAddress API endpoint to instruct the Platform to perform HTTP GET requests to arbitrary addresses. By exploiting this flaw an attacker can use Service Center as a proxy to perform HTTP requests to an arbitrary address, while masking the source IP address. In extreme cases this flaw can crash the application server, causing the Platform to be unavailable.
Protecting your OutSystems Platform
OutSystems patched the PaaS infrastructures without upgrading the version and only the customers whose infrastructures could not be patched were notified to upgrade.
OutSystems issued new releases of the Platform Server that address this vulnerability. All customers who have yet to update their Platform servers are strongly encouraged to do so.
This vulnerability is fixed in Platform Server versions 9.1.609.0 and all subsequent releases.
This vulnerability is fixed in Platform Server versions 10.0.603.0 and all subsequent releases.
OutSystems 11 was not affected.
For on-premises installations, you can use the Internal Network feature and limit access to Service Center to trusted networks.
OutSystems PaaS infraestructures do not require any workaround as they were all patched and are protected.
|By exploiting this vulnerability can an attacker access my data?||Yes. By exploiting this vulnerability, an attacker will have full access to all data stored by the OutSystems Platform.|
|Has this vulnerability been exploited in the wild?||OutSystems does not have any evidence that this vulnerability has been exploited in the wild or that any customer has been affected by it.|
|What do I need to do?||Update your OutSystems Platform to the above-mentioned version that applies. For Cloud Customers, OutSystems will apply a no-impact / no-downtime hotfix.|
|Will OutSystems share any more information about this vulnerability?||In order to protect its customers, OutSystems will not provide any additional information about this vulnerability before May 2020.|
|Who can I talk to about this?||If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.|