Attention Folio System Operators,

The following releases have been made to patch the aforementioned critical security vulnerabilities:

·         mod-data-export-spring-2.0.2 (Orchid)

·         mod-data-export-spring-1.5.4 (Nolana)

·         mod-remote-storage-2.0.3 (Orchid)

·         mod-remote-storage-1.7.2 (Nolana)

 

Remediation instructions:

1.    For your flower release configure the new mod-data-export-spring and mod-remote-storage versions, you MUST set the SYSTEM_USER_PASSWORD environment variable. Avoid using values which are easy to guess, such as the module name or the system username.

2.    Deploy the new module versions.

3.    For each tenant $TENANT migrate to the new module version:

1.    For Orchid: curl -d '[{"id":"mod-data-export-spring-2.0.2","action":"enable"},{"id":"mod-remote-storage-2.0.3","action":"enable"}]' http://$OKAPI:9130/_/proxy/tenants/$TENANT/install?reinstall=true

2.    For Nolana: curl -d '[{"id":"mod-data-export-spring-1.5.4","action":"enable"},{"id":"mod-remote-storage-1.7.2","action":"enable"}]' http://$OKAPI:9130/_/proxy/tenants/$TENANT/install?reinstall=true

1.    For each tenant verify that the patch has been successfully applied: Go to the UI and try to login. Use the default username data-export-system-user and system-user (for remote-storage) and the new password. NOTE: These system users do not have UI permissions, so once you log in, you won't be able to do anything in the UI/stripes. It's sufficient to check that you're able to authenticate.

2.    You may also want to check the logs for these two modules for any entries which might indicate a problem.

 

N.B. If you specify a non-default system username by setting SYSTEM_USER_NAME you MUST manually disable or delete the existing system user with the default username.

N.B. After changing SYSTEM_USER_PASSWORD or SYSTEM_USER_NAME it is NOT sufficient to only redeploy the module; you also MUST reinstall the module as show above.
N.B. Disabling an affected module is NOT sufficient to fix the vulnerability.

 

System operators are advised to immediately apply this fix for both modules.

-Folio Security Team

 

 

 

Attention Folio System Operators,

 

Related to the notice sent yesterday about critical security vulnerabilities, we now have more information on when patch releases will be available.  Both releases are expected to be available Thursday (July 20, 2023).

 

Announcements will be made once releases are available.

 

System operators are advised to apply these fixes ASAP.

 

-Folio Security Team

 

 

Attention Folio System Operators,

 

Two critical security vulnerabilities have recently been discovered in Folio.  Due to the severity and exploitability of these vulnerabilities, they have been embargoed.  As such, details cannot be provided at this time.  The Folio Security Team is sending this notification to inform you that fixes are being worked on and two critical service patch (CSP) releases will soon be available for both Orchid and Nolana.  Exact timing of the releases is TBD, but the first, which addresses the more critical of the two vulnerabilities may be available as soon Wednesday July 19, 2023.  We strongly suggest that these patches are applied as soon as possible.  Unfortunately, there are no known workarounds at this time aside from disabling the affected modules.

 

Another notification will be sent once the first CSP release is available.  Full details of the vulnerabilities will not be disclosed until a reasonable amount of time has passed, providing system operators with sufficient time to apply the patches.

 

-Folio Security Team