Log4j2 RCE Vulnerability
CVE-2021-44228 and CVE-2021-45046: Log4j2 RCE Vulnerability
Category: Product:Connect,Community Engagement,Collaborate,Learn,Analytics; Version:Connect,Community Engagement,Collaborate,Learn,Analytics
Article No.: 000076125Bulletin/Advisory Information: Blackboard is aware of multiple vulnerabilities in Apache Log4j including CVE-2021-44228 and CVE-2021-45046. Our response began immediately upon becoming aware of the first vulnerability on December 10th.
As of December 14, 2021, Blackboard completed its investigation and determined:
- There were no vulnerabilities detected in Blackboard Ally, Analytics for Learn, Communications, Data, Connect, and Web Community Manager core products.
- While Smartview was using Log4j, it was not utilizing a vulnerable version of the library or the JMAppender class. No further action is necessary for Smartview customers at this time.
- The Blackboard Learn core product was not vulnerable, but vulnerabilities were detected in the SafeAssign building block for Learn. Please see the Log4j article on Learn for more guidance and details.
- Blackboard Collaborate was initially vulnerable due to a log processing microservice. This vulnerability has been mitigated.
Additional Guidance Regarding Third-Party Building Blocks
If you have installed third-party building blocks into your Learn instance, it is critical for the security of your system that you reach out to your building block vendors to confirm whether they are affected by these vulnerabilities and whether they have published updated versions. We urge our customers to deploy these updates into their Learn instance as soon as they become available in order to provide the best protection for your data.
For more information regarding the vulnerabilities please see https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance.