Support

QUICK LINKS

Support
Issue Tracker
[Services]
Questions
[uAchieve 4.5 Applications]
[uAchieve 5.0 Application]
[uAchieve 5.1 Application]
Transferology
TES
[Training & Conferences]
Accessibility

Page tree

Versions Compared

Old Version 1

changes.mady.by.user Dale Peters

Saved on

compared with

New Version 2

changes.mady.by.user Dale Peters

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Over the past several days there have been two security alerts issued by third parties that have raised questions about their impact on CollegeSource products, particularly those that are installed by clients.  This is an overview of those alerts and our recommendation to resolving the problem as related to CollegeSource products.

Table of Contents

Spring Expression Language Injection

  • Vulnerability of CollegeSource Products: High, depending on product (see chart)
  • General Vulnerability to CollegeSource Clients: High
  • Recommended Resolution: Update affected products to latest version.
The full text of the Spring Security Alert can be found here:  

http://support.springsource.com/security/cve-2011-2730 

To summarize:

 



To enable the use of Expression Language (EL) in web applications based on earlier JSP specifications, some Spring MVC tags provide EL support independently of the Servlet/JSP container. The evaluation of EL is enabled by default. When used on containers that do support EL, the attributes can be evaluated for EL twice. Once by the container and once by the tag. This can lead to unexpected results that include disclosure of information and remote code execution (initially only information disclosure was documented but a subsequent report showed the possibility of code execution).



 

CollegeSource ProductRecommended Action
u.direct 
Schedule Builder 
  
u.achieve Self-Service 
u.achieve Server, ClientNot affected, no action necessary
  
DARwin Server, Client, DARSwebNot affected, no action necessary
  
Banner Interface (DARwin and u.achieve)Not affected, no action necessary
  
Security

Not affected, no action necessary

  
u.selectHosted site has been updated to resolve vulnerability, no client action necessary
u.select ConnectorNot affected, no action necessary

 

 

 

Java 7 Security Manager Bypass Vulnerability

...

The full text of the Oracle Security Alert can be found here: http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html  To summarize.: 

Oracle Security Alert for CVE-2013-0422

...