Skip to main content

 

 

 

Template:OutSystems/Documentation_KB/Breadcrumb_New_Layout

 

 

Template:OutSystems/OSLanguageSwitcher

 

 

 

OutSystems

Vulnerability RPD-5160

Overview

OutSystems became aware of a vulnerability that, if exploited, may allow an attacker to compromise the availability, and integrity of the data handled and stored by the Platform Server.

OutSystems doesn't have any indication or reason to believe that this vulnerability has been exploited in the wild.

Technology stacks

This vulnerability affects all supported Platform Server stacks and LifeTime.

Vulnerability risk

Base Score: 9.6 (Critical)

Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Communication

To understand the phases involved in the process, how, and when we communicate, check this article. This vulnerability is currently on the embargo phase.

  • Embargo phase: This vulnerability was first communicated to all customers on July 27, 2020.
  • Public disclosure: Full details on this vulnerability were disclosed on October 27, 2020.

Vulnerability details

One of the OutSystems services contained a path traversal vulnerability that would allow a developer to write arbitrary files to a location where the files could be executed. Since services run with high privileges, this could potentially lead to fully compromising the host and gaining access to any file or key present on the filesystem.

Protecting your OutSystems installation

The necessary actions to protect against this vulnerability may differ depending on the deployment model (OutSystems Cloud or self managed) and the version. Please check the following sections for the action that applies to your environments.

OutSystems Cloud

OutSystems notified all its cloud customers and applied a no-downtime hotfix targeted at the specific version of each customer. The hotfix didn't require an update of the Platform Server version.

Self managed installations

OutSystems released new versions of the Platform Server that address this vulnerability. All customers who have yet to update their Platform servers are strongly encouraged to do so.

OutSystems 10

Release 10.0.1102.0 of the Platform Server addresses this vulnerability. All versions of Platform Server 10.0.1102.0 onwards will be protected.

OutSystems 11

Platform Server release 11.9.0 and LifeTime Management Console 11.7.0 address this vulnerability. All subsequent releases will be protected.

Workaround

There is no workaround, we strongly advise you to update to the above mentioned versions.

FAQs

Question Answer
By exploiting this vulnerability can an attacker access my data? Yes. By exploiting this vulnerability, an attacker may have, in time, full access to all data stored by the OutSystems Platform.
Has this vulnerability been exploited in the wild? OutSystems doesn't have any evidence that this vulnerability has been exploited in the wild or that any customer was affected.
What do I need to do? Update your OutSystems Platform Server to the above-mentioned version that applies. For cloud environments, OutSystems will patch the environments for you.
Who can I talk to about this? If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.
  • Was this article helpful?