Skip to main content

 

 

 

 

Template:OutSystems/Documentation_KB/Breadcrumb_New_Layout

 

 

Template:OutSystems/OSLanguageSwitcher

 

 

 

OutSystems

Vulnerability RPD-3849

Overview

On February 2019, OutSystems became aware of a vulnerability in the ECT Provider Platform component. Using the CVSS scoring system, OutSystems has assessed the impact and risk of this vulnerability for cloud and on-premises platform deployments across all supported stacks and classified it accordingly using the CVSS 3.0 scoring system.

The following information will allow you to ascertain the level of exposure to your systems and determine how you should proceed to mitigate the threat.

Technology Stacks

This vulnerability affects all supported Platform stacks.

Communication

To understand the phases involved in the process, how and when we communicate, check this article.

  • Embargo phase: This vulnerability was first communicated to all customers on May 14, 2019
  • Public disclosure: Full details on this vulnerability were disclosed.

Vulnerability Risk

Base Score: 8.1 (High)

Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Vulnerability details

This vulnerability is in the ECT Provider component. An unauthenticated attacker could use the endpoint provided by this component to inject arbitrary JavaScript code, which could then execute when an ECT Provider user accesses the ECT Provider back-office in the App Feedback application via a web browser. In some cases, the injected code runs with high privileges on the OutSystems platform.

Protecting your OutSystems Platform

OutSystems Cloud

OutSystems notified cloud customers and updated or applied a patch to all affected cloud infrastructures.

The environments were patched without the need for a platform server version update.

On-Premises Installations

OutSystems issued new releases of the Platform Server that address this vulnerability. All customers who have yet to update their Platform servers are strongly encouraged to do so.

OutSystems 10

This vulnerability is fixed for Platform Server version 10.0.1005.2 and all subsequent versions.

OutSystems 11

The vulnerability is fixed for Platform Server version Release Jan.2019 CP2 and all subsequent versions.

Workaround

A Platform Server upgrade is strongly advised. If you do not have the opportunity to upgrade your on-premises Platform, we advise you to disable the ECT Provider component for all eSpaces.

OutSystems PaaS infrastructures do not require any workaround as they were all patched and are protected.

FAQs

Question Answer
Has this vulnerability been exploited in the wild? OutSystems does not have any evidence that this vulnerability has been exploited in the wild or that any customer has been affected by it.
What do I need to do? Update your OutSystems Platform Server to the above-mentioned version that applies. For Cloud Customers OutSystems has applied a hotfix.
Will OutSystems share any more information about this vulnerability? All the details that can be shared were already disclosed in this article.
Who can I talk to about this? If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.

Vulnerability reported by Mina Edwar.

  • Was this article helpful?