In 2014, two security alerts were issued by third parties that have raised questions about their impact on CollegeSource products, particularly those that are installed by clients. This page provides an overview of those alerts and our recommendations to resolving the problems as they relate to CollegeSource products.
In summary, to enable the use of Expression Language (EL) in web applications based upon earlier JSP specifications, some Spring MVC tags proved EL support independently of the Servlet/JSP container. The evaluation of EL is enabled by default. When used on containers that do support EL, the attributes can be evaluated for EL twice: once by the container and once by the tag. This can lead to unexpected results, including disclosure of information and remote code execution. (Initially, only information disclosure was documented, but a subsequent report showed the possiblitiy of code execution.)
Several CollegeSource products use Spring MVC tags and therefore are vulnerable to Spring Expression Language Injection. The products affected and recommended resolutions are listed in the table below:
|CollegeSource Product||Recommended Action|
Update to the current u.direct release
|Schedule Builder||Update to the current Schedule Builder release|
u.achieve Self-Service release 4.1.2 will include the updated libraries by default (available Feb 28, 2013)
Update to the current Transferology Connector release
|u.select||Hosted site has been updated to resolve vulnerability, no client action necessary|
|u.achieve Server, u.achieve Client||Not affected, no action necessary|
|DARwin Server, DARwin Client, DARSweb||Not affected, no action necessary|
|Banner Interface (DARwin and u.achieve)||Not affected, no action necessary|
Not affected, no action necessary
|TES, CollegeSource Online||Not affected, no action necessary|
The full text of the Oracle Security Alert can be found at the following URL: http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
Oracle Security Alert for CVE-2013-0422
In summary, this Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert TA13-010A-Oracle Java 7 Security Manager Bypass Vulnerability) and another vulnerability affecting Java running in web browsers. These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications, or embedded Java applications. They also do not affect Oracle server-based software.
CollegeSource does not write Java applets or web start applications, so none of our applications require the use of Java in the browser. We also do not write standalone Java desktop applications or embedded Java applications, only server applications. This security alert does not directly affect CollegeSource products, and running CollegeSource products does not increase vulnerability to this threat. You could disable Java in the browser of all your desktops and CollegeSource applications would not be adversely affected.
Also, according to details provided at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422, this vulnerability does NOT affect Java 6, only Java 7.