Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Security Advisory- Misuse of SEND TO email function –Update May 18, 2017 and Update June 7, 2017

    Subject: Misuse of SEND TO Email Function – Update May 18, 2017

    Overview

    Ex Libris considers security and privacy the highest priorities and continues to analyze the issues regarding the misuse of the SEND TO email function. 
    A solution for Cloud users was put in place in May 2017.

    A user could manually send mail to multiple recipients that could cause a load on the Primo mail server.

    On May 18, Ex Libris implemented a solution for our Cloud services using multiple layers of security to protect the send mail function to multiple recipients.   
     

    Current Status:  Information for On-Premise Customers – Update June 7, 2017
    Affected Systems:

    Primo

    Effective Security Severity Level:

    Medium

    Affected Systems:

    Primo

    Tests and Certifications:

    The mitigation for this issue has been identified.

    Actions Taken for Hosted Systems:

    Ex Libris implemented a security solution on May 18, 2017.

    Required Actions for On-Premise Systems:   

    Ex Libris strongly recommends that you disable the email functionality by changing the SMTP_HOST parameter under General Configuration: E-mail and SMS Configuration to a fake parameter (for example NOT_REAL_SMTP).

    In 2 weeks, a permanent fix will be available that will restrict email functionality only to authenticated users.

    Record of Changes

    Type of information Document Data

    Document Title:

    Security Advisory- Misuse of SEND TO Email Function

    Document Owner:

    Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO)

    Approved by:

    Barak Rozenblat – VP Cloud Services

    Issued:

    Feb 16, 2014

    Reviewed & Revised:

    Jun 7, 2017

     

    Revision Control

    Version Number Nature of Change Date Approved

    1.0

    Initial version

    Feb 16, 2014

    1.1

    Update

    Oct 20, 2016

    1.2

    Update

    Jun 07, 2017

    Document Distribution and Review

    The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver