Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Security Advisory – Google Chrome Browser Version 80 Updates and Ex Libris Products and Services - February 13, 2020

    Overview

    Google will roll out a new version of Google Chrome (80) that will implement a secure-by-default model for cookies using the SameSite attribute, enabled by a new cookie classification system.  The SameSite attribute protects users from cross-site request forgery, where an end user may erroneously submit a web request that they did not intend.   

    The roll out will start the week of February 17, 2020.

    As of February 2020, only cookies with the SameSite set to "None" and tagged as Secure will be able to send cross-sites and will require encrypted HTTPS connection access.  Google Chrome (80) new default cookie attribute will be set to SameSite="Lax."  Previously, the SameSite cookie attribute default was set to SameSite="None."

    Impact

    High

    Affected Systems

    Alma, Primo, Leganto, campusM, RefWorks, SFX and 360 Link will be affected by the new Chrome update.

    Although the change was intended to discourage malicious cookie tracking, it also has the potential to affect Ex Libris products and services that leverage application cookies within the same web page that have a different domain than the one being used by Ex Libris.

    Custom integrations relying on non-secure (HTTP) protocols or cookies, might be impacted by the new release of Google Chrome.

    Tests and Certifications

    The mitigation for this issue has been identified, tested and certified for all Ex Libris products.

    Action Taken by Ex Libris for Cloud Systems

    Ex Libris deployed the required configurations to all Ex Libris cloud servers for the following affected Ex Libris products: Alma, Primo, Leganto, campusM, RefWorks.

    Actions for Cloud Systems

    SFX, 360 Link and Primo may require additional action by the customer.  Please refer to the following articles:

    Actions for On-Premise/Local Systems

    SFX and Primo may require additional actions, see the following articles:

    Exploitation and Public Announcements 

    The Ex Libris Security Incident Response Team (SIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

     

    Record of Changes

    Type of information Document Data

    Document Title:

    Security Advisory – Google Chrome Browser Version 80 Updates and Ex Libris Products and Services

    Document Owner:

    Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO)

    Approved by:

    Barak Rozenblat – VP Cloud Services

    Issued:

    Jan 22, 2020

    Reviewed & Revised:

    Feb 23, 2020

     

    Revision Control

    Version Number Nature of Change Date Approved

    1.0

    Initial version

    Jan 22, 2020

    1.1

    Update

    Jan 30, 2020

    1.2

    Update

    Feb 23, 2020

    Document Distribution and Review

    The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver