OutSystems became aware of a vulnerability that, if exploited, may allow an attacker to compromise the confidentiality of the end user data. OutSystems doesn't have any indication or reason to believe that this vulnerability has been exploited in the wild.
Vulnerability reported by Ricardo Nunes - INTEGRITY SA.
This vulnerability affects all supported Platform Server stacks and LifeTime.
Base Score: 7.4 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
To understand the phases involved in the process, how, and when we communicate, check this article. This vulnerability is currently on the embargo phase.
- Embargo phase: This vulnerability was first communicated to all customers on September 4, 2020.
- Public disclosure: Full details on this vulnerability were disclosed in December 11, 2020.
This vulnerability resides in the ECT Provider component. By exploiting this vulnerability, an unauthenticated attacker would be apple to perform a server-side request forgery attack. This would allow an attacker to induce a server-side application to make HTTP requests to arbitrary domains.
Protecting your OutSystems installation
The necessary actions to protect against this vulnerability may differ depending on the deployment model (OutSystems Cloud or self managed) and the version. Please check the following sections for the action that applies to your environments.
OutSystems Cloud & self managed installations
OutSystems released a new version of the Platform Server that addresses this vulnerability. All customers who have yet to update their Platform Servers are encouraged to do so.
For OutSystems Cloud environments, OutSystems also performed a patching operation, in late October 2020 containing the fix to this vulnerability and other security improvements.
Platform Server release 10.0.1104.0 addresses this vulnerability. All versions of Platform Server 10.0.1104.0 onwards will be protected.
There is no workaround, we strongly advise you to update to the above mentioned versions.
|By exploiting this vulnerability can an attacker access my data?||Yes. By exploiting this vulnerability, an attacker will have partial access to data stored by the OutSystems Platform.|
|Has this vulnerability been exploited in the wild?||OutSystems doesn't have any evidence that this vulnerability has been exploited in the wild or that any customer was affected.|
|What do I need to do?||Update your OutSystems Platform Server to the above-mentioned version that applies. For cloud environments, OutSystems patched the environments for you.|
|Who can I talk to about this?||If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.|