Versions Compared

Old Version 2

changes.mady.by.user Julian Ladisch

Saved on

compared with

New Version Current

changes.mady.by.user Craig McNally

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

Unpatched versions of Nolana and Orchid are vulnerable to critical security issues related to system users.  These users are provisioned by modules themselves and are used to perform internal module-to-module operations.  Credentials for these users are hardcoded in the source code.  This makes it trivial to authenticate as these users, allowing resulting in unauthorized access to potentially dangerous APIs, including those which allow configuration to be viewed and modified, the ability to access user data, as well as fees/fines.  allowing to view and modify configuration including single-sign-on configuration, to read, add and modify user data, and to read and transfer fees/fines in a patron's account, and to read inventory data.

Due to the risk and exploitability of these vulnerabilities, they were embargoed, and details were not fully disclosed until system operators had a chance to patch their systems.

...

These patch versions will be included in the following official Critical Service Patch (CSP) releases for both Nolana and Orchid (Details TBD).:

  • Nolana CSP #2
  • Orchid CSP #4

System operators are advised to immediately apply this fix for both modules if they haven't done so already.

...

N.B. After changing SYSTEM_USER_PASSWORD or SYSTEM_USER_NAME it is NOT sufficient to only redeploy the module; you also MUST reinstall the module as show above.

N.B. Disabling an affected module is NOT sufficient to fix the vulnerability.

Am I a victim?

Unfortunately the Folio Security Team is unaware of a way to conclusively determine if these vulnerabilities have been exploited.  OKAPI does log the user ID for all proxied requests, so you may look for unusual activity associated with either of these users.  Depending on your hosting infrastructure, it may also be possible to look at load balancer and/or reverse proxy logs, but there may not be enough information logged there if request payloads/certain headers aren't captured.  Another challenge is the volume of logs which need to be inspected. These vulnerabilities have been around for a long time (~2 years).  Looking for something subjective like "unusual behavior" isn't something which can be easily scripted/automated, and looking at 2 years of logs manually isn't realistic eitherConsider reviewing logs going back to when you upgraded to Nolana.