LISNews: Librarian Blog Since 1999

Yet another flaw has been found in IPAC (if you use 2.xx) or HIP (if you use 3.xx), this one sent to me from my Dept. Head who hangs out on the Horizon-L message list service.

The core of the message goes like this:

My security officer notified me of the following JBOSS vulnerability and his
investigation. I have notified Dynix but so far have had no reply. We have
port 8083 blocked to the world but it is open internally and cannot easily
be blocked. How are others coping with this? Has anyone implemented the
suggested fix?

Oh yeah, in other news, did you know that Sirsi and Dynix have merged? All I can say is I hope they pool their resources together and come out with better, more complete and secure products. Did somebody hack their website or something? At the time of this writing, all I get is an generic Apache webpage. Anyways, I digress...

Well, I suppose it really isn't SirsiDynix's fault, I mean, they took advantage of OpenSource software JBoss. A simple update to JBoss, assuming on has been released already, and all is well. The real question is when Dynix is going to get around offering an update, and if they do, will they push the update existing customers?

Want to know what I think? Tough - I am going to tell you anyways what I think: I think Dynix will not push out the fix, and will not notify existing customers because it costs too much time and money. You'll only get the fixes when you upgrade to the latest and greatest of existing products.

I'm trying to be positive, I'm trying to be positive [fade into background]. I mean, I too have found a security related hole in HIP that has been around since the early days of IPAC. If you have a Dynix customer support login, see here. It covers some but not all of what you need to know on how to combat that problem. Hell I even offered a method of fixing this issue with Dynix - but they didn't use it. Instead they release that %&*#&@ incomplete LogExpress. And I will not hesitate to say that I am as mad as hell that they didn't fix the problem. At the same token however, HIP will soon no longer be using Interbase/Firebird to run HIP's administrative database data - and once Interbase/Firebird is gone, so does this problem. Until then, what are you to do?

My solution to the problem? Stick a bridging packet filter infront of your HIP/IPAC server. I used OpenBSD for that purpose, and it worked nicely ever since. Only allow through the ports of what world needs to see: the true port to your catalogue, and nothing else.

Two years before our upgrade to Horizon earily this year, I put into place a Intel Pentium 166MHz box, 64Megs of EDO RAM with two decent intel NICs and 512Meg hard drive to cover for this purpose, and that unit still sits infront of our now static Win2000 Server Std webserver working hard at protecting open microsoft ports from malicious intent. Hehe, sometimes old hardware just never dies.