Security Advisory - Alma “Forgot My Password” Vulnerability Identified and Corrected – March 29, 2021
Overview
On March 25, 2021 a vulnerability in the "Forgot my password" link in Alma was identified. The “Forgot my password” link allows users managed in the Ex Libris Identity Service to provide their email/user ID and receive a secure link to change their password. Due to a logic error, the secure token was not checked server-side, and a malicious actor could change another user’s password by changing the user ID in the web form.
Effective Security Severity Level
High
Ex Libris implemented a security solution on March 25, 2021 that mitigated the identified vulnerability. The secure token is now validated on the server-side to ensure that only the owner of the email address can change the password.
Affected Systems
Ex Libris Alma product
Tests and Certifications
The fix for this vulnerability has been developed, tested, and certified for Ex Libris products.
Actions Taken for Cloud Systems
Ex Libris has already deployed the fix to all cloud environments and no action is required by the customer.
Exploitation and Public Announcements
The Ex Libris Security Incident Response Team (SIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Record of Changes
Type of information | Document Data |
Document Title: |
Security Advisory – Alma "Forgot My Password" Vulnerability Identified and Corrected - March 29, 2021 |
Document Owner: |
Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO) |
Approved by: |
Barak Rozenblat – VP Cloud Services |
Issued: |
March 29, 2021 |
Reviewed & Revised: |
March 29, 2021 |
Revision Control
Version Number | Nature of Change | Date Approved |
1.0 |
Initial version |
March 29, 2021 |
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated regularly or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver