Shortcuts

Support
Issue Tracker
[Services]
Questions
[uAchieve Applications]
Transferology
TES
[Training & Conferences]
Accessibility

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

RecentlyIn 2014, two security alerts were issued by third parties that have raised questions about their impact on CollegeSource products, particularly those that are installed by clients. This page provides an overview of those alerts and our recommendations to resolving the problems as they relate to CollegeSource products.

 

Table of Contents

Spring Expression Language Injection

  • Vulnerability of CollegeSource Products: High, depending on products installed (see table below)
  • General Vulnerability to CollegeSource Clients: High
  • Recommended Resolution: Update affected products to latest version
The full text of the Spring Security Alert can be found at the following URL: http://support.springsource.com/security/cve-2011-2730

In summary, to enable the use of Expression Language (EL) in web applications based upon earlier JSP specifications, some Spring MVC tags proved EL support independently of the Servlet/JSP container. The evaluation of EL is enabled by default. When used on containers that do support EL, the attributes can be evaluated for EL twice: once by the container and once by the tag. This can lead to unexpected results, including disclosure of information and remote code execution. (Initially, only information disclosure was documented, but a subsequent report showed the possiblitiy of code execution.)

 

Several CollegeSource products use Spring MVC tags and therefore are vulnerable to Spring Expression Language Injection. The products affected and recommended resolutions are listed in the table below:

 

CollegeSource ProductRecommended Action
u.direct

Update to the current u.direct release

OR

Update u.direct Spring libraries

Schedule BuilderUpdate to the current Schedule Builder release
u.achieve Self-Service

Update u.achieve self-service Spring libraries

u.achieve Self-Service release 4.1.2 will include the updated libraries by default (available Feb 28, 2013)

Transferology Connector

Update to the current Transferology Connector release

u.selectHosted site has been updated to resolve vulnerability, no client action necessary
u.achieve Server, u.achieve ClientNot affected, no action necessary
DARwin Server, DARwin Client, DARSwebNot affected, no action necessary
Banner Interface (DARwin and u.achieve)Not affected, no action necessary
Dashboard

Not affected, no action necessary

TES, CollegeSource OnlineNot affected, no action necessary

 

Java 7 Security Manager Bypass Vulnerability

  • Vulnerability of CollegeSource Products: None
  • General Vulnerability to CollegeSource Clients: High
  • Recommended Resolution: Update Java to latest patch, or disable Java in the browser of all desktops

...