Skip to main content

 

 

 

 
 
 
 
OutSystems

Vulnerability RPM-657

Template:OutSystems/Documentation_KB/ContentCollaboration
  • Edit
    Collaborate with us
    Edit this page on GitHub
  • High Security bulletin RPM-657
    First published April 19, 2021
    Public disclosure July 29, 2021
    Status Public disclosure
    Workarounds No
    OutSystems bug IDs RPM-657
    CVSS Score 8.3

    Vulnerability summary

    A security flaw was identified in the OutSystems Platform Server that if exploited may compromise the Confidentiality, Integrity and Availability of a developer workstation. OutSystems doesn't have any evidence that this vulnerability has been exploited in the wild or that any customer has been affected by it.

    Affected products

    Platform Server

    Vulnerable products and versions

    This vulnerability affects all versions of the Platform Server.

    Vulnerability details

    This vulnerability resides on the Platform Server compilation process. When an extension is stored in a network file system under the attackers control he is able to leverage a race condition to modify a file that is executed during the compile process.

    Workarounds

    There's no workaround, we strongly advise to update to the fixed versions.

    Fixed products and versions

    OutSystems issued the following releases that address this vulnerability. You can choose to upgrade to any of the versions to avoid having to deal with breaking changes.

    Platform Server

    • 11.11.2
    • 11.11.1
    • 11.10.4
    • 11.9.2
    • 11.8.4
    • 11.7.6
    • 11.0.615
    • 10.0.1114.0

    LifeTime

    • 11.8.4
    • 11.6.2
    • 11.5.4
    • 11.4.3
    • 11.0.328

    If you have a self-managed infrastructure we strongly encourage to upgrade to the latest release.

    For OutSystems Cloud infrastructures, you'll receive a schedule to upgrade your environments.

    Exploitation and public announcements

    The OutSystems Product Security Incident Response Team (PSIRT) was able to reproduce the vulnerability proving it can be exploited.

    The OutSystems PSIRT isn’t aware of any malicious use of the vulnerability described in this security bulletin.

    FAQ

    Question Answer
    By exploiting this vulnerability can an attacker access my data? Yes. By exploiting this vulnerability, an attacker can have full access to a developer's workstation.
    Has this vulnerability been exploited in the wild? OutSystems does not have any evidence that this vulnerability has been exploited in the wild or that any customer has been affected by it.
    What do I need to do? Update your OutSystems Platform to the above-mentioned version that applies. For Cloud Customers, OutSystems will apply a fix.
    Will OutSystems share any more information about this vulnerability? In order to protect its customers, OutSystems will not provide any additional information about this vulnerability before July 2021.
    What is the concrete vulnerability? We can’t disclose that yet. Disclosing the further details before allowing reasonable time to protect your infrastructures would increase the chance of exploitation. It will be disclosed in the future following our vulnerability policy.
    Why are we doing this now? We need to patch OutSystems Cloud for a number of security vulnerabilities. As such, we’ve bundled all the patches to reduce risk and customer impact.
    Can I opt-out from the OutSystems Cloud patch? Yes, and it may be a valid option in very specific scenarios, but we strongly advise against it. You'll have the option of adjusting the schedule rather than opting out of the security patch.
    Can I change the schedule of the OutSystems Cloud patch instead of opting-out? Yes, you can reschedule to minimize impact on ongoing activities. Ensure that the dates you choose are not later than June 30, 2021. This will ensure that your OutSystems Cloud is protected before the vulnerability details are disclosed.
    I have mobile apps published to the stores. Am I required to do something? The vulnerability fix and the Platform Server upgrade won't require new mobile builds to be distributed. It's however advisable, when apps are upgraded to a new version.
    Who can I talk to about this? If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.
    • Was this article helpful?