QUICK LINKS
Support
Issue Tracker
[Services]
Questions
[uAchieve 4.5 Applications]
[uAchieve 5.0 Application]
[uAchieve 5.1 Application]
Transferology
TES
[Training & Conferences]
Accessibility
...
http://support.springsource.com/security/cve-2011-2730
To summarize:
To enable the use of Expression Language (EL) in web applications based on earlier JSP specifications, some Spring MVC tags provide EL support independently of the Servlet/JSP container. The evaluation of EL is enabled by default. When used on containers that do support EL, the attributes can be evaluated for EL twice. Once by the container and once by the tag. This can lead to unexpected results that include disclosure of information and remote code execution (initially only information disclosure was documented but a subsequent report showed the possibility of code execution).
Several CollegeSource products use Spring MVC tags and therefore are vulnerable to Spring Expression Language Injection. The products affected and the recommended resolution are listed in the table below:
CollegeSource Product | Recommended Action |
---|---|
u.direct | update to the latest u.direct release OR |
Schedule Builder | update to the latest Schedule Builder Release |
u.achieve Self-Service | |
u.achieve Server, Client | Not affected, no action necessary |
DARwin Server, Client, DARSweb | Not affected, no action necessary |
Banner Interface (DARwin and u.achieve) | Not affected, no action necessary |
Security | Not affected, no action necessary |
u.select | Hosted site has been updated to resolve vulnerability, no client action necessary |
u.select Connector | Not affected, no action necessary |
...