At ClassLink, our commitment to creating a secure digital environment for the educational community is woven into the fabric of our operations. Our pledge to Secure by Design principles is not just a statement; it's a fundamental approach to building and maintaining our software solutions. This dedication is exemplified through our transparent public disclosure of vulnerabilities, a practice we uphold with unwavering commitment.
By participating in this pledge, ClassLink is pledging publicly to the following actions:
ClassLink will make security audit logs available to its customers at no additional charge above the base cost of its software solutions to ensure that tenant administrators have the ability to see and react to security events affecting their production environment.
ClassLink conducts internal and external quarterly vulnerability assessments, and authorizes volunteer testing. Findings are anonymously reported, promptly investigated, and recorded. Remediation priorities are set based on threat levels. Vulnerabilities unresolved after 90 days are continuously monitored.
ClassLink publicly discloses any mitigated vulnerabilities, including the disclosure of Common Vulnerabilities and Exposures (CVE). Each CVE entry will feature a Common Weakness Enumeration (CWE) field, providing insights into the root cause of the vulnerability for enhanced understanding and transparency.
ClassLink analyzes diverse security data, including MFA adoption, DDoS incidents, breaches, downtime, policy violations, and more. Calculated statistics are published on a public webpage for transparency.
CWE-200
An Amazon S3 bucket with bash scripts for the internal CI/CD pipeline was publicly readable on the internet.
One script contained a username and password for a beanstalkapp service account, which could affect the CI/CD pipeline for projects on beanstalkapp. The service account has been decommissioned.
Affected Services:
CWE-200
Passwords for LaunchPad applications could be leaked from the App Passwords window when viewing the HTML source directly.
No effect on production environment; certain apps that require passwords could have the password leaked.
Affected Services:
CWE-840, CWE-266
A ClassLink Administrator could create another administrator profile within the CMC.
Creating another admin profile could confuse a ClassLink Administrator and make auditing admin actions more difficult.
Affected Services:
CWE-613
Bearer tokens used to authenticate a user to Roster Server would not expire.
A token that does not expire could be stolen by an attacker and utilized in a replay attack.
Affected Services:
CWE-918
The Test Auth feature on the File Exports page accepts internal IP addresses (e.g., 10.0.0.0/8) or hostnames and a port number and tests connectivity to the system. The server responses reveal whether an IP/Port combination is active.
An attacker with Tenant Administrator (TA) credentials could port scan servers on an internal network during the reconnaissance phase of an attack to develop a network diagram.
Affected Services:
CWE-122, CWE-1395
nginx versions from 0.6.8 - 1.20.0 are vulnerable to Heap Overflow if using the nginx DNS resolver and sending queries to an attacker-controlled DNS server. ClassLink reviewed the system configuration and confirmed it is not using the nginx DNS resolver and is not exploitable. However, the newest versions of AL2 and AL2023 use the most recent patched nginx version, and all instances have been updated.
ClassLink reviewed the system configuration and confirmed cloud instances used the system's default DNS resolver and not the nginx resolver. There was no effect on the production environment.
Affected Services:
CWE-79, CWE-80
When creating a new connection on the SAML Console page, the Name attribute was not being sanitized for JavaScript and HTML attributes. Upon saving, this would trigger custom JavaScript whenever the SAML Console page was opened.
No effect on production environment
Affected Services:
CWE-79, CWE-80
The Public Portal validator was not checking for HTML event handlers or JavaScript, which could be directly injected into an intercepted HTTP request. A ClassLink Administrator could intercept and modify their request to edit the Public Portal and include custom JavaScript, which would be executed on the Public Portal.
No effect on production environment
Affected Services:
CWE-79, CWE-80
The title and message body of the Acceptable Use Policy (AUP) were not being sanitized for JavaScript and HTML attributes.
No effect on production environment
Affected Services:
CWE-284
It is possible to manipulate the folder_id parameter requests to My Files to look up other arbitrary folder IDs. The server would return information, like the name of the folder and the names of files within it. However, it was not possible to download files the user did not have permission to access.
Metadata of files and folders within My Files could be leaked, specifically the names of folders and files.
Affected Services:
CWE-79, CWE-80
When editing or creating a new user via the Edit Users slide-over on the Users page, the First Name, Last Name, and Display Name value fields were not being sanitized for JavaScript and HTML attributes. After saving a user, JavaScript would trigger when viewing the dashboard.
No effect on production environment
Affected Services:
CWE-79, CWE-80
When previewing a notification in the Notifications Module (Beta), the preview window was not sanitizing the notification's title or body for cross-site scripting (XSS), which allows custom JavaScript. XSS filtering occurs on the dashboard and other notification windows, but it needs to be extended to the preview window, as well.
No effect on production environment
Affected Services:
CWE-79, CWE-80
On the Groups page, the Wallpaper and Group Name fields were not sanitized for cross-site scripting (XSS) before reflecting the input into HTML. This allowed custom JavaScript to be injected into both parameters. When editing a group, custom JavaScript was triggered when the slide-over opened.
No effect on production environment
Affected Services:
CWE-79, CWE-80
Certain HTML attributes were not sanitized in the notification body, which can lead to custom JavaScript injection (XSS).
No effect on production environment
Affected Services:
CWE-840
A flaw in validation logic allowed the ClassLink OneClick Extension to run on non-ClassLink domains.
No effect on production environment
Affected Services:
CWE-22
The Append Files option in the Roster Server Preprocessor allowed user-supplied input to create a path to retrieve files outside the DailyImport and SIS Import folders, but it did not properly strip path symbols (e.g., ../). The backend automatically appends a comma-separated value (CSV) file extension to the filename, which limits what files can be targeted. It was not possible to download arbitrary files via this endpoint.
There was no impact on production systems with only this exploit. While it is possible to reach arbitrary files with directory traversal, it is limited to CSV files and would require a Roster Server sync to read the file. These files can't be directly downloaded from the server.
Affected Services:
CWE-22
When exporting logs from Roster Server, the filename parameter was not being stripped of path characters. This allowed for directory traversal outside the log directory. The OneRoster®/Roster Server user does not run as root.
Directory traversal on the Amazon Web Services (AWS)-hosted Roster Server instances can reveal files outside the Roster Server log directory.
Affected Services:
CWE-79, CWE-80
HTML is accepted for values (e.g., Display Name, First Name, Last Name) in the Edit User slide-over on the Users page. However, certain HTML attributes were not sanitized before being injected into the slide-over, triggering custom JavaScript.
No effect on production environment
Affected Services: