QUICK LINKS
Support
Issue Tracker
[Services]
Questions
[uAchieve 4.5 Applications]
[uAchieve 5.0 Application]
[uAchieve 5.1 Application]
Transferology
TES
[Training & Conferences]
Accessibility
Over the past several days there have been two security alerts issued by third parties that have raised questions about their impact on CollegeSource products, particularly those that are installed by clients. This is an overview of those alerts and our recommendation to resolving the problem as related to CollegeSource products.
Table of Contents |
---|
http://support.springsource.com/security/cve-2011-2730
To summarize:
To enable the use of Expression Language (EL) in web applications based on earlier JSP specifications, some Spring MVC tags provide EL support independently of the Servlet/JSP container. The evaluation of EL is enabled by default. When used on containers that do support EL, the attributes can be evaluated for EL twice. Once by the container and once by the tag. This can lead to unexpected results that include disclosure of information and remote code execution (initially only information disclosure was documented but a subsequent report showed the possibility of code execution).
CollegeSource Product | Recommended Action |
---|---|
u.direct | |
Schedule Builder | |
u.achieve Self-Service | |
u.achieve Server, Client | Not affected, no action necessary |
DARwin Server, Client, DARSweb | Not affected, no action necessary |
Banner Interface (DARwin and u.achieve) | Not affected, no action necessary |
Security | Not affected, no action necessary |
u.select | Hosted site has been updated to resolve vulnerability, no client action necessary |
u.select Connector | Not affected, no action necessary |
...
The full text of the Oracle Security Alert can be found here: http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html To summarize.:
Oracle Security Alert for CVE-2013-0422
...