-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2011.0078
          Some vulnerabilities have been identified in Blackboard
                       Learn version 9.1 and earlier
                             16 September 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Blackboard Learn
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Reduced Security -- Unknown/Unspecified
Resolution:           Patch/Upgrade
Member content until: Friday, March 16 2012

OVERVIEW

        Some vulnerabilities have been identified in Blackboard Learn version
        9.1 and earlier.


IMPACT

        Blackboard has been informed about a number of vulnerabilities in the
        Blackboard Learn platform. Blackboard is currently reviewing them
        and will be releasing patches for the vulnerabilities over the
        coming releases and updates.
        
        The exact impact of all the vulnerabilities is not yet known, and
        as they have yet to be patched we will not be providing any specific
        details. However, due to recent media attention there may be an
        increased interest in these vulnerabilities.
        
        AusCERT will continue monitoring the situation and send updates as
        they become available.


MITIGATION

        Due to the potential increased interest in these vulnerabilities,
        users of Blackboard Learn should consider some of the following:
        
        * Update to the latest version of Blackboard Learn with the
          latest service pack (Release 9.1 Service Pack 6).
        
        * Ensure the cross-site scripting filter, "config.global.xss.filter"
          is enabled in the Blackboard configuration to help prevent
          cross-site scripting and some other forms of attack.
        
        * Disable any tools and plugins that are not required.

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTnLfNO4yVqjM2NGpAQJo/Q/+Jt1lKgZ4JakeYprXuggf4mV8KpzuzFzs
z60JMZvUllnruQSCR7SZWp6JNRobVYvqbV1U11mQrvR+uuDsUdLRKeQd0sUN57al
yvcuCHImKmz4gPgxLcv/cnk3EEIdEMNli1PisX0+yr5wLJJJDqgdrspNdTPZKUeS
MWrf5FJD6VweuI1Cmjdrdt1f34bwcos1ztKjvVm8VDif6TwP3RvXMGitQ4aCMA2s
FYviF6x21n6N2SH704RW7ABRR8i3wimnQwBk62eIQrWZ3QkQtjovbuC81iEEcJFA
cNjgLHipzowlrCso4mkws2byv+UNQLXVAiDbzsnJClC/Zo57s2hq6y9serzVOH1N
oUFcxKZN685FAdc9Vw44BRM9m1FlpN7WC5IWi7BLo2HinutoAaYwT9983Qc755vF
6bMut20AAFTwXHWu0HHvCj+Tom73rhAqYtsWo1mADAW82WXoUThAtbX/KFvRtfeR
z6ApRE9HwpfJrLd8TMBCwtwNKOK0RVd4OGqCPE30XPlfk/S3CUAKaEmoRgfxKDi5
DTPkYSJc068D7NDSc1zaDfuPBYepLOtwVAb+vCApzr/WBjYFAf//boL3/xv0/Y0X
HngV0E0bqxaxAO4FLqSwQONWYnRlS43+ugwQLws+8wk5f6kS9OCgwZVwTbYBqNOb
eZyfJFXrp4I=
=lrpN
-----END PGP SIGNATURE-----