Security Advisory - Ex Libris campusM Integration with Ex Libris Alma-Primo Security Vulnerability Updated – March 9, 2020
Overview
As part of the campusM AEK tile and Live Tile, the product is using Alma and Primo APIs to integrate library services into the mobile app and web portal. On March 4, 2020, a vulnerability was discovered in the Ex Libris campusM integration with Alma-Primo.
The vulnerability, if exploited, could potentially have allowed an attacker to bypass the authentication mechanism and access user details using the Alma API. Following our analysis, there was no indication of exploit for this vulnerability.
To address this issue, Ex Libris implemented a security solution on March 5 and March 6, 2020, that mitigated the identified vulnerability.
Effective Security Severity Level
Critical
Ex Libris implemented a security solution on March 5 and March 6, 2020, that mitigated the identified vulnerability.
Affected Systems
Ex Libris campusM integration with Alma-Primo (AEK and/or Live Tile).
Tests and Certifications
The fix for this vulnerability was developed, tested and certified for Ex Libris campusM product.
Actions Taken
Ex Libris has deployed the fix to Ex Libris campusM product AEK tiles and Live Tiles that addresses the vulnerability described in this advisory and no action is required by our cloud customers.
Exploitation and Public Announcements
The Ex Libris Security Incident Response Team (SIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Record of Changes
Type of information | Document Data |
---|---|
Document Title: |
Security Advisory - Ex Libris campusM Integration with Ex Libris Alma-Primo Security Vulnerability Updated – March 9, 2020 |
Document Owner: |
Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO) |
Approved by: |
Barak Rozenblat – VP Cloud Services |
Issued: |
March 9, 2020 |
Reviewed & Revised: |
March 9, 2020 |
Revision Control
Version Number | Nature of Change | Date Approved |
---|---|---|
1.0 |
Initial version |
March 9, 2020 |
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver