Re: Blackboard security vulnerability

[Patrick Ouellette <ouellep () ALGONQUINCOLLEGE COM>]

There are DEFINITELY exploits in the wild - we've had a few problems over the years, but the patching from BB does tend 
to be version & feature specific.
In other words, it may or may not apply to YOUR particular installation of BB, and that's not always clear.

The college here typically doesn't apply fixes as they emerge, due to business process requirements - can't have the 
system down for too long, when it's in use 24/7 365 days a year.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steven M 
Werby/FS/VCU
Sent: August-26-09 1:59 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Blackboard security vulnerability

My colleagues that manage Blackboard received an email from Blackboard yesterday about a security vulnerability and 
Blackboard's hotfix (excerpts below).  They contacted our rep at Blackboard to find out more about the vulnerability 
and were told "I'm getting the impression that it's not that big a deal and that it can wait...sorry they won't tell me 
more".

Do any of you know have details about the vulnerability?  I have to wonder whether there are exploits in the wild, 
despite what they said.  They claim it was discovered internally and there are no known exploits, but the lack of even 
basic details about the vulnerability and mixed messages from the vendor make me wonder.

That said, we're moving forward with testing and deploying the updates.

> In response to an internally discovered security vulnerability in
> the Blackboard Classic product line, a Hotfix is now available on
> Behind the Blackboard for the latest Service Pack of all fully
> supported releases as well as Release 7.2 and 7.1.

SNIP

> We recognize for many of our clients that this is the most
> challenging time of year to receive a Hotfix; however, the timing is
> solely dependent on the discovery of the vulnerability.
> Blackboard did research the feasibility of creating a Hotfix for all
> available releases, but we determined it would exponentially
> increase development time and would also delay the release of a
> Hotfix for the targeted Service Packs.  Therefore, only the last
> Service Pack for each release will receive a Hotfix.
> While we have no knowledge of any exploitation of this
> vulnerability, Blackboard urges all institutions to immediately
> apply the Hotfix.

SNIP

> Because timelines for upgrading to one of these releases will vary
> by institution, Blackboard will not publish detailed information on
> this vulnerability to prevent any potential exploitation.

--
Steve Werby
Information Security Officer
Virginia Commonwealth University

VCU Information Security - http://infosecurity.vcu.edu/
Information Security News, Tips & More - http://www.twitter.com/vcuinfosec
Information Security Best Practices - http://infosecurity.vcu.edu/docs/information-security-best-practices.pdf
________________________________