Update: We will be hosting Webinars during the week of October 3rd to give clients an opportunity to learn more about our overall security practices, to confirm the security best practices we recommend for self-hosted clients, and confirm the best practices within the Managed Hosting environment. To ensure we address the specific needs of clients, Webinars are scheduled for both our self-hosted clients and Managed Hosting clients and each is offered three times to allow clients in all time zones to participate. Beyond the current issues we’re reporting, the Webinars represent a great opportunity to learn about how we’re working with clients to ensure greater levels of security in our product. Dates and times for the Webinars are:
Blackboard Learn Security Best Practices (Managed Hosting clients): Oct 4th 2:00pm ET, Oct 4th 8:00pm ET, Oct 6th 9:30am ET
Blackboard Learn Security Best Practices (self-hosted clients): Oct 3rd 8:00pm ET, Oct 5th 9:30am ET, 6th 2:00pm ET
Many of you may have seen the recent article and related tweets about a recently reported security concern with the Blackboard Learn™ platform. While the article correctly identified a basis for concern, it also delivered information that was both factually incorrect and thematically misaligned with our security practice at Blackboard. However, the publication provides an opportunity for Blackboard to clarify the facts regarding this matter.
First, our security team is far more vigilant than this article suggested and our partnership with the clients who reported the issues is strong. In fact, our team responded immediately to the concern when we received notice of it. We were able to address the first issue reported through proper secure configuration of the application within 48 hours of receiving the initial client support request. We’ve worked closely with the client team and the security organizations that first found the issues, in order to classify and create a resolution plan for all of the other issues in detail—sharing information and providing frequent status updates. We determined that some of the issues were items which we were already working on, and the others are now being addressed by our engineering team. The most serious issue, regarding compatibility with the latest version of Tomcat, has now been closed for Blackboard Learn 9.1, enabling us to move the overall threat level for Releases 9.1 and 9.0 customers from “high” to “medium,” which represents a risk level that Blackboard classifies as moderate according to its well-established practices. We are finishing up our investigation for Release 8.0’s Tomcat and have not yet identified any high risk.
So how does that finding contrast with some of the headlines you may have read? Put simply: although these issues are important, and we’re committed to fixing them quickly, most of them could only have a limited impact at the class level, do not seriously threaten the overall institution or system data, and – most importantly – there have been no client reports of exploitation of any of these vulnerabilities. Most of the issues raised are common to lots of Web applications, not just Blackboard Learn. That doesn’t make them less important – but it is important to understand that their scope and potential impact are generally low.
What are the issues exactly? Most involve common attacks like phishing. To give you an example, a successful exploit would require an authenticated user with a valid login to create a malicious website and then create a link within Blackboard to that website. The user would need to convince another user to actively click on a suspicious link and provide their user credentials again. These issues do not involve actual system break-in or data vulnerabilities such as SQL injections.
What’s the risk? While the exploits could enable access to another user’s account, a successful attack is not highly probable, requires significant user intervention, and even then exposure would be limited to only functions which may be performed by the impacted user. These issues would not allow access to the entire system for grades or other system-wide information. The likelihood of an administrator account being compromised is low, and any attempted malicious actions would be logged and traceable.
The issues are described in greater detail in a support bulletin, which we made available on Behind the Blackboard last week, and includes full detail on all of the issues, affected products, and timeline for patches and releases that are coming before the end of the year. Based on feedback from clients, we’ve posted an update to that support bulletin this morning including a table that outlines each issue. We hope the table will make it easier for you to understand the details of the vulnerabilities. We’ll continue to make updates as we have more information about the issues. Please keep an eye out for updates to the advisory and email alerts.
In addition, we will be hosting Webinars during the week of October 3rd to give clients an opportunity to learn more about our overall security practices, to confirm the security best practices we recommend for self-hosted clients, and confirm the best practices within the Managed Hosting environment. To ensure we address the specific needs of clients, Webinars are scheduled for both our self-hosted clients and Managed Hosting clients and each is offered three times to allow clients in all time zones to participate. Beyond the current issues we’re reporting, the Webinars represent a great opportunity to learn about how we’re working with clients to ensure greater levels of security in our product. Register here
I hope this context and update will help you and your institution better understand not just the current issues, but our overall policies and procedures for security. We’ve taken a rigorous approach to this area and we tend to scrutinize potential security issues with great discipline. I hope you will see that, when security issues arise, we understand you need to know how they’ll be resolved, and we are committed to responding in a fashion that will only increase your expectations for technology providers in this critical area.
As always, if you have any questions or comments about these issues, please contact Client Support for assistance. I’m also personally available to talk with you if you have specific questions – you can reach me at firstname.lastname@example.org.