Security Advisory- Misuse of SEND TO email function –Update May 18, 2017 and Update June 7, 2017
Subject: Misuse of SEND TO Email Function – Update May 18, 2017
Overview
Ex Libris considers security and privacy the highest priorities and continues to analyze the issues regarding the misuse of the SEND TO email function.
A solution for Cloud users was put in place in May 2017.
A user could manually send mail to multiple recipients that could cause a load on the Primo mail server.
On May 18, Ex Libris implemented a solution for our Cloud services using multiple layers of security to protect the send mail function to multiple recipients.
Current Status: Information for On-Premise Customers – Update June 7, 2017
Affected Systems:
Primo
Effective Security Severity Level:
Medium
Affected Systems:
Primo
Tests and Certifications:
The mitigation for this issue has been identified.
Actions Taken for Hosted Systems:
Ex Libris implemented a security solution on May 18, 2017.
Required Actions for On-Premise Systems:
Ex Libris strongly recommends that you disable the email functionality by changing the SMTP_HOST parameter under General Configuration: E-mail and SMS Configuration to a fake parameter (for example NOT_REAL_SMTP).
In 2 weeks, a permanent fix will be available that will restrict email functionality only to authenticated users.
Record of Changes
Type of information | Document Data |
---|---|
Document Title: |
Security Advisory- Misuse of SEND TO Email Function |
Document Owner: |
Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO) |
Approved by: |
Barak Rozenblat – VP Cloud Services |
Issued: |
Feb 16, 2014 |
Reviewed & Revised: |
Jun 7, 2017 |
Revision Control
Version Number | Nature of Change | Date Approved |
---|---|---|
Initial version |
Feb 16, 2014 |
|
Update |
Oct 20, 2016 |
|
1.2 |
Update |
Jun 07, 2017 |
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver