Bulletin/Advisory Information: Blackboard is aware of multiple vulnerabilities in Apache Log4j including CVE-2021-44228 and CVE-2021-45046.  Our response began immediately upon becoming aware of the first vulnerability on December 10th. 

As of December 14, 2021, Blackboard completed its investigation and determined:
 

• There were no vulnerabilities detected in Blackboard Ally, Analytics for Learn, Communications, Data, Connect, and Web Community Manager core products.

 

• While Smartview was using Log4j, it was not utilizing a vulnerable version of the library or the JMAppender class. No further action is necessary for Smartview customers at this time. 

 

• The Blackboard Learn core product was not vulnerable, but vulnerabilities were detected in the SafeAssign building block for Learn. Please see the Log4j article on Learn for more guidance and details.

 

• Blackboard Collaborate was initially vulnerable due to a log processing microservice. This vulnerability has been mitigated.
   

Blackboard continues to stay in close contact with our industry partners, monitor security bulletins, and is immediately acting upon notices from any and all third parties whose products are used in support of our infrastructure.

Additional Guidance Regarding Third-Party Building Blocks
If you have installed third-party building blocks into your Learn instance, it is critical for the security of your system that you reach out to your building block vendors to confirm whether they are affected by these vulnerabilities and whether they have published updated versions.  We urge our customers to deploy these updates into their Learn instance as soon as they become available in order to provide the best protection for your data.

For more information regarding the vulnerabilities please see https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance.