Educause Security Discussion mailing list archives
Re: Blackboard security vulnerability
From: Patrick Ouellette <ouellep () ALGONQUINCOLLEGE COM>
Date: Wed, 26 Aug 2009 14:05:25 -0400
There are DEFINITELY exploits in the wild - we've had a few problems over the years, but the patching from BB does tend to be version & feature specific. In other words, it may or may not apply to YOUR particular installation of BB, and that's not always clear. The college here typically doesn't apply fixes as they emerge, due to business process requirements - can't have the system down for too long, when it's in use 24/7 365 days a year. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steven M Werby/FS/VCU Sent: August-26-09 1:59 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Blackboard security vulnerability My colleagues that manage Blackboard received an email from Blackboard yesterday about a security vulnerability and Blackboard's hotfix (excerpts below). They contacted our rep at Blackboard to find out more about the vulnerability and were told "I'm getting the impression that it's not that big a deal and that it can wait...sorry they won't tell me more". Do any of you know have details about the vulnerability? I have to wonder whether there are exploits in the wild, despite what they said. They claim it was discovered internally and there are no known exploits, but the lack of even basic details about the vulnerability and mixed messages from the vendor make me wonder. That said, we're moving forward with testing and deploying the updates.
In response to an internally discovered security vulnerability in the Blackboard Classic product line, a Hotfix is now available on Behind the Blackboard for the latest Service Pack of all fully supported releases as well as Release 7.2 and 7.1.
SNIP
We recognize for many of our clients that this is the most challenging time of year to receive a Hotfix; however, the timing is solely dependent on the discovery of the vulnerability. Blackboard did research the feasibility of creating a Hotfix for all available releases, but we determined it would exponentially increase development time and would also delay the release of a Hotfix for the targeted Service Packs. Therefore, only the last Service Pack for each release will receive a Hotfix. While we have no knowledge of any exploitation of this vulnerability, Blackboard urges all institutions to immediately apply the Hotfix.
SNIP
Because timelines for upgrading to one of these releases will vary by institution, Blackboard will not publish detailed information on this vulnerability to prevent any potential exploitation.
-- Steve Werby Information Security Officer Virginia Commonwealth University VCU Information Security - http://infosecurity.vcu.edu/ Information Security News, Tips & More - http://www.twitter.com/vcuinfosec Information Security Best Practices - http://infosecurity.vcu.edu/docs/information-security-best-practices.pdf ________________________________
Current thread:
- Blackboard security vulnerability Steven M Werby/FS/VCU (Aug 26)
- <Possible follow-ups>
- Re: Blackboard security vulnerability Patrick Ouellette (Aug 26)
- Re: Blackboard security vulnerability Steven M Werby/FS/VCU (Aug 26)