Security Advisory - Ex Libris campusM Cloud Log Security Vulnerability Updated – July 29, 2020
Overview
On July 28, 2020, a vulnerability was discovered in the Ex Libris campusM error log file. The vulnerability applied only to customers using the Connect Layer with an LDAP authentication process and only when a user login process failed.
The vulnerability could potentially allow Ex Libris authorized staff to view the user details of the failed login attempt, as displayed in the system error log. The error logs are not available to any outside access. Additionally, error logs are kept for 7 days only and deleted automatically.
Effective Security Severity Level
High
Ex Libris implemented a fix on July 28, 2020 that mitigated the identified vulnerability.
Affected Systems
Ex Libris campusM product
Tests and Certifications
The fix for this vulnerability has been developed, tested and certified for Ex Libris products.
Action Taken by Ex Libris for Cloud Systems
-
Ex Libris has already deployed the fix to all cloud environments
-
No action is required by campusM customers
Exploitation and Public Announcements
The Ex Libris Security Incident Response Team (SIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Record of Changes
Type of information | Document Data |
---|---|
Document Title: |
Security Advisory – Ex Libris campusM Cloud Log Security Vulnerability Updated - July 29, 2020 |
Document Owner: |
Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO) |
Approved by: |
Barak Rozenblat – VP Cloud Services |
Issued: |
July 29, 2020 |
Reviewed & Revised: |
July 29, 2020 |
Revision Control
Version Number | Nature of Change | Date Approved |
---|---|---|
1.0 |
Initial version |
July 29, 2020 |
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated regularly or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver