|First published||April 19, 2021|
|Public disclosure||July 29, 2021|
|OutSystems bug IDs||RPM-657|
A security flaw was identified in the OutSystems Platform Server that if exploited may compromise the Confidentiality, Integrity and Availability of a developer workstation. OutSystems doesn't have any evidence that this vulnerability has been exploited in the wild or that any customer has been affected by it.
Vulnerable products and versions
This vulnerability affects all versions of the Platform Server.
This vulnerability resides on the Platform Server compilation process. When an extension is stored in a network file system under the attackers control he is able to leverage a race condition to modify a file that is executed during the compile process.
There's no workaround, we strongly advise to update to the fixed versions.
Fixed products and versions
OutSystems issued the following releases that address this vulnerability. You can choose to upgrade to any of the versions to avoid having to deal with breaking changes.
If you have a self-managed infrastructure we strongly encourage to upgrade to the latest release.
For OutSystems Cloud infrastructures, you'll receive a schedule to upgrade your environments.
Exploitation and public announcements
The OutSystems Product Security Incident Response Team (PSIRT) was able to reproduce the vulnerability proving it can be exploited.
The OutSystems PSIRT isn’t aware of any malicious use of the vulnerability described in this security bulletin.
|By exploiting this vulnerability can an attacker access my data?||Yes. By exploiting this vulnerability, an attacker can have full access to a developer's workstation.|
|Has this vulnerability been exploited in the wild?||OutSystems does not have any evidence that this vulnerability has been exploited in the wild or that any customer has been affected by it.|
|What do I need to do?||Update your OutSystems Platform to the above-mentioned version that applies. For Cloud Customers, OutSystems will apply a fix.|
|Will OutSystems share any more information about this vulnerability?||In order to protect its customers, OutSystems will not provide any additional information about this vulnerability before July 2021.|
|What is the concrete vulnerability?||We can’t disclose that yet. Disclosing the further details before allowing reasonable time to protect your infrastructures would increase the chance of exploitation. It will be disclosed in the future following our vulnerability policy.|
|Why are we doing this now?||We need to patch OutSystems Cloud for a number of security vulnerabilities. As such, we’ve bundled all the patches to reduce risk and customer impact.|
|Can I opt-out from the OutSystems Cloud patch?||Yes, and it may be a valid option in very specific scenarios, but we strongly advise against it. You'll have the option of adjusting the schedule rather than opting out of the security patch.|
|Can I change the schedule of the OutSystems Cloud patch instead of opting-out?||Yes, you can reschedule to minimize impact on ongoing activities. Ensure that the dates you choose are not later than June 30, 2021. This will ensure that your OutSystems Cloud is protected before the vulnerability details are disclosed.|
|I have mobile apps published to the stores. Am I required to do something?||The vulnerability fix and the Platform Server upgrade won't require new mobile builds to be distributed. It's however advisable, when apps are upgraded to a new version.|
|Who can I talk to about this?||If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.|