Security Advisory – Google Chrome Browser Version 80 Updates and Ex Libris Products and Services - February 13, 2020
Overview
Google will roll out a new version of Google Chrome (80) that will implement a secure-by-default model for cookies using the SameSite attribute, enabled by a new cookie classification system. The SameSite attribute protects users from cross-site request forgery, where an end user may erroneously submit a web request that they did not intend.
The roll out will start the week of February 17, 2020.
As of February 2020, only cookies with the SameSite set to "None" and tagged as Secure will be able to send cross-sites and will require encrypted HTTPS connection access. Google Chrome (80) new default cookie attribute will be set to SameSite="Lax." Previously, the SameSite cookie attribute default was set to SameSite="None."
Reference
Impact
High
Affected Systems
Alma, Primo, Leganto, campusM, RefWorks, SFX and 360 Link will be affected by the new Chrome update.
Although the change was intended to discourage malicious cookie tracking, it also has the potential to affect Ex Libris products and services that leverage application cookies within the same web page that have a different domain than the one being used by Ex Libris.
Custom integrations relying on non-secure (HTTP) protocols or cookies, might be impacted by the new release of Google Chrome.
Tests and Certifications
The mitigation for this issue has been identified, tested and certified for all Ex Libris products.
Action Taken by Ex Libris for Cloud Systems
Ex Libris deployed the required configurations to all Ex Libris cloud servers for the following affected Ex Libris products: Alma, Primo, Leganto, campusM, RefWorks.
Actions for Cloud Systems
SFX, 360 Link and Primo may require additional action by the customer. Please refer to the following articles:
-
SFX - Impact to the Link Resolver Sidebar; see Google Chrome (80) Update and Possible Impact on SFX
-
360 – Impact to 360 Link Sidebar uses ‘iframes’ to embed external content and links in its pages; see Impact of Google Chrome version 80 on 360 Link
-
Primo – Impact for Primo Classic UI customers. See: Google Chrome (80) Update and Possible Impact on Primo
Actions for On-Premise/Local Systems
SFX and Primo may require additional actions, see the following articles:
-
SFX - Impact to the Link Resolver Sidebar; see Google Chrome (80) Update and Possible Impact on SFX
-
Primo – Impact for on premise (local) customers. See: Google Chrome (80) Update and Possible Impact on Primo
Exploitation and Public Announcements
The Ex Libris Security Incident Response Team (SIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Record of Changes
| Type of information | Document Data |
|---|---|
|
Document Title: |
Security Advisory – Google Chrome Browser Version 80 Updates and Ex Libris Products and Services |
|
Document Owner: |
Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO) |
|
Approved by: |
Barak Rozenblat – VP Cloud Services |
|
Issued: |
Jan 22, 2020 |
|
Reviewed & Revised: |
Feb 23, 2020 |
Revision Control
| Version Number | Nature of Change | Date Approved |
|---|---|---|
|
Initial version |
Jan 22, 2020 |
|
|
Update |
Jan 30, 2020 |
|
|
1.2 |
Update |
Feb 23, 2020 |
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver