The S-Unit

The S-Unit 100% offensive security
Menu

The S-Unit Top 10

TSU-06: Use of outdated or end-of-life components

TSU-06: Use of outdated or end-of-life components

TSU-06 focuses on security issues that arise from the use of outdated software components in Mendix applications. A Mendix application consists of multiple components, each with its own lifecycle and versions, and therefore needs to be maintained and tracked separately, such as:

  • The Mendix runtime
  • Imported Marketplace-modules
  • Java dependencies used by backend modules
  • JavaScript dependencies used by widgets and JavaScript actions

Consequences outdated or end-of-life components

When security updates for these components are not applied (on time), known vulnerabilities can be exploited automatically. The impact varies per vulnerability and can range from:

  • The takeover of user sessions (for example, via cross-site scripting)
  • The execution of code through vulnerable Java components

Best practices for securely managing and updating Mendix components

When developing a Mendix application, make sure you have processes and tooling in place to track and apply software and security updates. The following best practices help with this:

1. Insight into components & dependencies

  • Maintain an up-to-date Software Bill of Materials (SBOM) that provides an overview of all components used in your application. Mendix can provide an initial indication through the Software Composition Service.

  • Use additional scanning tools to detect dependencies that are not covered by the Mendix Software Composition Service, such as:

    • embedded or minified JavaScript libraries

    • embedded or obfuscated Java JAR files

2. Stable and predictable runtime

  • Ensure that your application runs on an MTS or LTS version of the Mendix runtime to prevent unexpected or breaking changes during runtime updates.

3. Secure handling of Marketplace modules

  • Do not modify Marketplace modules directly, to avoid issues during updates. Implement custom functionality in a separate module that works alongside the standard Marketplace module.

  • Do the changes affect the access rules of a Marketplace module?

    • remove direct role assignments within the Marketplace module

    • move relevant security checks and interactions to aparte (niet-persistente) entiteiten en microflows

Vulnerabilities within TSU-06

These are the most common risks associated with outdated or end-of-life components.

  • Bypassing security controls due to outdated Marketplace modules with known vulnerabilities (for example, ForgotPassword, Encryption, SAML20)
  • Bypassing XPath restrictions caused by a runtime version with known vulnerabilities (such as SSA-252808, SSA-148641)
  • Privilege escalation due to a runtime version with known vulnerabilities (such as SSA-540640)
  • Cross-site scripting (XSS) caused by outdated JavaScript libraries (such as CKEditor, jQuery)

Train your Mendix security skills

Recognize and prevent vulnerabilities in Mendix at an early stage? Explore our updated Mendix security trainings based on The S-Unit Top 10.

Mendix trainings

Integrate The S-Unit Top 10 into your CI/CD pipeline.

Want to know how your Mendix application scores against The S-Unit Top 10? In collaboration with Omnext, we have developed a Mendix-specific SAST solution that continuously and automatically scans for vulnerabilities. By integrating The S-Unit Top 10 into the CI/CD pipeline, risks are identified early and made immediately visible. Learn more about our collaboration with Omnext and the Mendix-specific SAST module.

Mendix specific SAST-module
Would you like to know more about the services of The S-Unit? Or do you have another S-ential question for us?
Get in touch