Security Advisory- Misuse of SEND TO email function –Update May 18, 2017 and Update June 7, 2017

Overview

Ex Libris considers security and privacy the highest priorities and continues to analyze the issues regarding the misuse of the SEND TO email function. 
A solution for Cloud users was put in place in May 2017.

A user could manually send mail to multiple recipients that could cause a load on the Primo mail server.

On May 18, Ex Libris implemented a solution for our Cloud services using multiple layers of security to protect the send mail function to multiple recipients.   
 

Current Status:  Information for On-Premise Customers – Update June 7, 2017

Affected Systems:

Primo

Effective Security Severity Level:

Medium

Affected Systems:

Primo

Tests and Certifications:

The mitigation for this issue has been identified.

Actions Taken for Hosted Systems:

Ex Libris implemented a security solution on May 18, 2017.

Required Actions for On-Premise Systems:   

Ex Libris strongly recommends that you disable the email functionality by changing the SMTP_HOST parameter under General Configuration: E-mail and SMS Configuration to a fake parameter (for example NOT_REAL_SMTP).

In 2 weeks, a permanent fix will be available that will restrict email functionality only to authenticated users.

Record of Changes

Revision Control

Document Distribution and Review

The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver