Educause Security Discussion mailing list archives

Re: 0-days reported in Blackboard

From: "Schoenefeld, Keith P." <Keith_Schoenefeld () BAYLOR EDU>
Date: Fri, 16 Sep 2011 22:06:31 -0500

Steve,

Ask your Blackboard Admins to log on to the Blackboard Knowledgebase and get you a copy of LRNSI-2284.  The most recent 
version was released about 5:00pm today (central time), and includes updated information indicating that Blackboard now 
plans to release patches for some of the issues, rather than forcing their customers to wait months for a solution.  I 
haven't had an opportunity to review the details yet, but it's at least an improvement in the response.

-- KS

Keith Schoenefeld
Information Security Analyst
Baylor University

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steve 
Werby
Sent: Friday, September 16, 2011 10:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] 0-days reported in Blackboard


Zero-day holes found in the Blackboard learning platform
http://www.scmagazine.com.au/News/272215,millions-of-student-exams-tests-and-data-exposed.aspx

Multiple zero-day security vulnerabilities have been found in the world's most popular educational software - holes 
that allow students to change grades and download unpublished exams, whilst allowing criminals to steal personal 
information...The problems relate to default configuration and web application vulnerabilities present in all versions 
of the Blackboard Learn system....the vulnerabilities would remain unpatched until the first service pack update is 
delivered "prior to the end of the year"...the issue was initially logged (in July) to our client support team...We 
issued a support bulletin to Blackboard Learn clients today after completing our review of the issues.

It's not surprising that Blackboard is continuing down their old path concerning the handling of vulnerabilities.

Is anyone familiar with the details and able to share them? Can anyone share the support bulletin? If any of you have 
implemented compensating controls, can you share what steps you took?

--
Steve Werby
Information Security Officer
The University of Texas at San Antonio

Current thread:

0-days reported in Blackboard Steve Werby (Sep 16)
- Re: 0-days reported in Blackboard Schoenefeld, Keith P. (Sep 16)