Educause Security Discussion mailing list archives
Re: 0-days reported in Blackboard
From: "Schoenefeld, Keith P." <Keith_Schoenefeld () BAYLOR EDU>
Date: Fri, 16 Sep 2011 22:06:31 -0500
Steve, Ask your Blackboard Admins to log on to the Blackboard Knowledgebase and get you a copy of LRNSI-2284. The most recent version was released about 5:00pm today (central time), and includes updated information indicating that Blackboard now plans to release patches for some of the issues, rather than forcing their customers to wait months for a solution. I haven't had an opportunity to review the details yet, but it's at least an improvement in the response. -- KS Keith Schoenefeld Information Security Analyst Baylor University From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steve Werby Sent: Friday, September 16, 2011 10:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] 0-days reported in Blackboard Zero-day holes found in the Blackboard learning platform http://www.scmagazine.com.au/News/272215,millions-of-student-exams-tests-and-data-exposed.aspx Multiple zero-day security vulnerabilities have been found in the world's most popular educational software - holes that allow students to change grades and download unpublished exams, whilst allowing criminals to steal personal information...The problems relate to default configuration and web application vulnerabilities present in all versions of the Blackboard Learn system....the vulnerabilities would remain unpatched until the first service pack update is delivered "prior to the end of the year"...the issue was initially logged (in July) to our client support team...We issued a support bulletin to Blackboard Learn clients today after completing our review of the issues. It's not surprising that Blackboard is continuing down their old path concerning the handling of vulnerabilities. Is anyone familiar with the details and able to share them? Can anyone share the support bulletin? If any of you have implemented compensating controls, can you share what steps you took? -- Steve Werby Information Security Officer The University of Texas at San Antonio
Current thread:
- 0-days reported in Blackboard Steve Werby (Sep 16)
- Re: 0-days reported in Blackboard Schoenefeld, Keith P. (Sep 16)