- Product: Aleph
- Product Version: 20, 21, 22, 23
- Relevant for Installation Type: Dedicated-Direct, Direct, Local, Total Care
A particular http:....:899n/C webpage (in the Web Union Catalog Management function) allows the user, without authentication, to view/modify/delete patron information.
As this function is no longer being used by any Aleph customers, it should be disabled/removed.
* The Salesforce Broadcast message sent to Aleph customers, describing "Immediate Actions" to deal with this vulnerability, is shown in Additional Information below. If you have not yet performed these actions, you should do so.
* The following rep_change's have been created: v21 rc 002662 / v22 rc 002317 / v23 rc 000061....
Description: Union Catalog Management vulnerability - The WEB Union Catalog Management can bypass authentication and allows the user to modify patron information.
Solution: Remove support of WEB Union Catalog Management.
Note: In each case the rep_change's will be included in the next Service Pack for that version. In the case of version 20, you should just perform the "Immediate Actions" described below; since there will be no service pack which might overwrite them, they should stay in place permanently.
* An announcement may be posted to the https://knowledge.exlibrisgroup.com/.../Announcements page in this regard. Check there.
Salesforce Broadcast email to all Aleph customers subscribed to the service on May 26, 2016....
Ex Libris, a ProQuest company, has been made aware of a recently discovered vulnerability related to Aleph /C page that can bypass authentication and allows to modify patron information in Aleph systems and is rated as “High”.
An unauthorized user can execute this vulnerability. A server is vulnerable to an attack only if the “/C” function is enabled.
Effective Security Severity Level: High
Affected Systems: Aleph
Tests and Certifications: The mitigation for this vulnerability has been identified and tested and certified for Ex Libris Aleph product. Ex Libris initial full analysis and evaluation.
Actions Taken for Hosted Systems: Ex Libris cloud is protected from this vulnerability, by implementing this immediate fix.
Required Immediate Actions for On-Premises and Local Systems:
Ex Libris recommends to disable this functionality ( “/C” function) until a mitigation can be provided, by running the following commands:
mv www_c_eng www_c_eng.save
mv www_c.gnt www_c.gnt.save
Then restart the www_server (util w/3/1).
- Article last edited: 1-Jun-2016