OutSystems became aware of vulnerabilities in multiple Java third party libraries, ranging from Low to Critical. If exploited, these vulnerabilities may allow an attacker to compromise the confidentiality, integrity, and availability of the end-user data. OutSystems doesn't have any indication or reason to believe that this vulnerability has been exploited in the wild.
To understand the phases involved in the process, how, and when we communicate, check this article. This vulnerability is currently on the embargo phase.
- Embargo phase: This vulnerability was first published on December 9, 2020.
- Public disclosure: Full details on this vulnerability were disclosed on March 3, 2021.
This vulnerability is based on the usage of the following libraries and respective versions on OutSystems 10 supported Java Platform Server versions:
- Apache Commons Collections 3.2
- Apache Commons Imaging 0.97
- Google Core Libraries for Java 11.0.2
- jackson-databind 2.7.4
Components & Stacks
This vulnerability affects OutSystems 10 supported Java Platform Server versions.
Protecting your OutSystems installation
OutSystems issued release Platform Server 10.0.1108.0 that addresses these vulnerabilities. All customers who have yet to update their Platform Server are strongly encouraged to do so.
There is no workaround, we strongly advise you to update to the above mentioned versions.
|By exploiting this vulnerability can an attacker access my data?||Yes. By exploiting this vulnerability, an attacker may have access to the end-user data.|
|What do I need to do?||Update your OutSystems Platform Server to the above-mentioned version.|
|Who can I talk to about this?||If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.|