Siemens Mendix

Monitor6.8ICS-CERT ICSA-22-069-13Mar 8, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

A XPath Constraint bypass vulnerability in Mendix Runtime versions 7, 8, and 9 allows authenticated users to circumvent access control checks. An attacker with valid application credentials could read contents of database attributes they should not access and modify sensitive data. This affects the running Mendix applications and any data stored within them. Siemens has released patched versions: Mendix 7.23.29, 8.18.16, and 9.13.

What this means

What could happen

An attacker with valid application credentials could bypass data access controls to read sensitive information from database attributes they should not access, or modify sensitive data they are not authorized to change.

Who's at risk

Organizations running Mendix web applications on Siemens Mendix Runtime should care about this vulnerability. This affects any application built on Mendix Runtime versions 7, 8, or 9 that handle sensitive data (financial records, user information, process parameters, or operational reports). Business application administrators and OT teams that use Mendix for operational dashboards or data management are at risk.

How it could be exploited

An authenticated user logs into a Mendix application and crafts malicious XPath constraints in application queries. These constraints bypass the application's access control logic, allowing the attacker to retrieve data from protected attributes or modify sensitive records that should be inaccessible to their user role.

Prerequisites

Valid user credentials for the Mendix application
Network access to the Mendix application
Vulnerable Mendix Runtime version (7 <7.23.29, 8 <8.18.16, or 9 <9.13)

remotely exploitablerequires valid authenticationhigh attack complexityaffects data confidentiality and integritylow EPSS score (0.2%)

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Mendix Runtime V7<V7.23.297.23.29

Mendix Runtime V8<V8.18.168.18.16

Mendix Runtime V9<V9.139.13

Remediation & Mitigation

0/5

Do now

0/1

Mendix Runtime V9

WORKAROUNDFor Mendix Runtime V9 applications, verify that the custom setting DataStorage.UseNewQueryHandler is set to True (this is the default setting); if not set, enable it or remove the custom setting

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Mendix Runtime V7

HOTFIXUpgrade Mendix Runtime V7 applications to version 7.23.29 or later

Mendix Runtime V8

HOTFIXUpgrade Mendix Runtime V8 applications to version 8.18.16 or later

Long-term hardening

0/2

HARDENINGRestrict network access to Mendix applications using firewall rules; do not expose applications to the Internet

HARDENINGIsolate Mendix application networks from business network segments

CVEs (1)

CVE-2022-24309

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9ffc6be5-5966-4e11-b866-411f429bf20b