Skip to main content
ExLibris
  • Subscribe by RSS
    • Back
    Aleph
    Ex Libris Knowledge Center

    Vulnerability in Aleph WWW-C (Web Union Catalog Management) function

    1. Last updated
    2. Save as PDF

     

    • Product: Aleph
    • Product Version: 20, 21, 22, 23
    • Relevant for Installation Type: Dedicated-Direct, Direct, Local, Total Care

     

    Description

    A particular http:....:899n/C webpage (in the Web Union Catalog Management function) allows the user, without authentication, to view/modify/delete patron information.

    Resolution

    As this function is no longer being used by any Aleph customers, it should be disabled/removed.

    *  The Salesforce Broadcast message sent to Aleph customers, describing "Immediate Actions" to deal with this vulnerability, is shown in Additional Information below.  If you have not yet performed these actions, you should do so.

    *  The following rep_change's have been created:  v21 rc 002662 / v22 rc 002317 / v23 rc 000061....
           Description: Union Catalog Management vulnerability -  The WEB Union Catalog Management can bypass authentication and allows the user to modify patron information.

          Solution: Remove support of WEB Union Catalog Management.

          Note: In each case the rep_change's will be included in the next Service Pack for that version.  In the case of version 20, you should just perform the "Immediate Actions" described below; since there will be no service pack which might overwrite them, they should stay in place permanently. 

    *  An announcement may be posted to the https://knowledge.exlibrisgroup.com/.../Announcements page in this regard.   Check there. 

     

    Additional Information

    Salesforce Broadcast email to all Aleph customers subscribed to the service on May 26, 2016....

    Overview

    Ex Libris, a ProQuest company, has been made aware of a recently discovered vulnerability related to Aleph /C page that can bypass authentication and allows to modify patron information in Aleph systems and is rated as “High”.

    An unauthorized user can execute this vulnerability. A server is vulnerable to an attack only if the “/C” function is enabled.

    Effective Security Severity Level: High

    Affected Systems:   Aleph

    Tests and Certifications:  The mitigation for this vulnerability has been identified and tested and certified for Ex Libris Aleph product. Ex Libris initial full analysis and evaluation.

    Actions Taken for Hosted Systems: Ex Libris cloud is protected from this vulnerability, by implementing this immediate fix.

    Required Immediate Actions for On-Premises and Local Systems:

    Ex Libris recommends to disable this functionality ( “/C” function) until a mitigation can be provided, by running the following commands:

    • cd $alephe_root

    • mv  www_c_eng   www_c_eng.save

    • cd $aleph_exe

    • mv www_c.gnt  www_c.gnt.save

    Then restart the www_server  (util w/3/1).

    • Article last edited: 1-Jun-2016