cancel
Showing results for 
Search instead for 
Did you mean: 

Security Updates

About Security Updates
Security updates are posted here.
Instructure
Instructure

An unauthenticated blind SSRF (Server Side Request Forgery) vulnerability was identified and disclosed by a Tenable Security researcher. The vulnerability is due to not requiring LTI tools to sign requests to the server, allowing crafted API calls from end users to query arbitrary hosts. Host responses are not returned to the client.

Read more...

more
0 0 290
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2019-07-11
  Description:

MathJax XSS Vulnerability

  Criticality Level:Highly Critical   ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:

XSS (Cross Site Scripting)

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:

Pull request to instructure/canvas-lms · GitHub

  Relevant Changesets:

Fix critical MathJax XSS Vulnerability · instructure/canvas-lms@148fe06 · GitHub 


Summary:

An XSS (Cross Site Scripting) vulnerability was publicly disclosed via a Pull Request to instructure/canvas-lms on GitHub. The vulnerability is due to a version of the MathJax dependency used in a Canvas component, which allows an attacker to use JavaScript to exploit this vulnerability via Canvas' Rich Text Editor.

Status:

All systems were patched as of 11:11 AM MT on 7/11/2019.

more
1 0 768
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2019-02-14
  Description:

ePortfolio Export Vulnerability

  Criticality Level:Highly Critical   ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:

Broken Access Control (BAC)  /  Insecure Direct Object References (IDOR)

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:

Defektive (Security Researcher)

  Relevant Changesets:

ensure user can read eportfolio files before zipping them up · instructure/canvas-lms@8df2da8622 · G...


Summary:

A security researcher supporting our ongoing bug bounty program hosted by BugCrowd identified a vulnerability in ePortfolios, which allowed an authenticated user to access files not owned by the user as part of an ePortfolio export.  

Status:

All systems were patched as of 8:17 PM MT on 2/11/2019.

more
0 0 417
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2019-01-31
  Description:

Multiple XSS Vulnerabilities in Canvas

  Criticality Level:Highly Critical   ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:

Stored Cross Site Scripting / Potential Exposure of Sensitive Data

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:

DDV_UA (BugCrowd Security Researcher)

  Relevant Changesets:

fix focus return on discussion page · instructure/canvas-lms@35c64f056e · GitHub

fix vdd_tooltip selector issue · instructure/canvas-lms@54cecb0252 · GitHub

Change elementToggler to use text · instructure/canvas-lms@d62b910d73 · GitHub

Disallow javascript urls in inline previews · instructure/canvas-lms@8e8f3358fc · GitHub

fix XSS attack with rubrics · instructure/canvas-lms@22986bb9c9 · GitHub

sanitize HTML content in eportfolio preview · instructure/canvas-lms@2328ab322a · GitHub

move graded rubrics url to js_env · instructure/canvas-lms@eb4024c724 · GitHub

Fix XSS in calander · instructure/canvas-lms@466afa70be · GitHub

ensure icon_url is valid when outputting external tool config · instructure/canvas-lms@e3991ea49c · ...

Don't get quiz details url from data attribute · instructure/canvas-lms@d6751093e5 · GitHub

sanitize tooltip content · instructure/canvas-lms@5105235fe3 · GitHub


Summary:

The following findings were recently identified by the talented security researchers supporting our ongoing bug bounty program hosted by BugCrowd:

1. XXS via ‘data-tooltip’ attribute

A security researcher discovered Canvas editors allow for data-tooltip attribute to be modified to execute a script when triggered.

2. XSS in Calendar via `data-mathml` attribute

A security researcher discovered the data-mathml attribute can be modified to execute a script when accessing a calendar event.

3. XSS in Discussions via `data-focus-returns-to` attribute

A security researcher discovered the data-focus-returns-to attribute can be modified to execute a script when accessing a discussion topic.

4. XSS in Assignments via `vdd_tooltip_link` attribute

A security researcher discovered the vdd_tooltip_link attribute can be modified, by only users having the ability to modify assignments, to execute a script when modifying an assignment.

5. XSS in Canvas editors when referencing an External App via icon_url element

A security researcher discovered the icon_url element included as part of referencing an an External App configuration can be modified to execute a script when opening any editor referencing the External App.

6. XSS in Canvas editors via data-html-while-target-shown attribute

A security researcher discovered the data-html-while-target-shown attribute can be modified to execute a script when when the associated link is clicked.

7. XSS in ePortfolios

A security researcher discovered, in ePortfolios, an element with a specific attribute can be used to execute a script when the associated button is clicked.

8. XSS in Canvas editors via a.file_preview_link

A security researcher discovered, in Canvas editors, the file_preview_link parameter can be used to execute a script when the associated link clicked.

9. XSS in Canvas Quizzes via data_url attribute

A security researcher discovered, in Canvas Quizzes, the data_url attribute can be modified (by only users having the ability to modify quizzes) to request and execute a script when accessing a quiz.

Status:

All systems were patched as of 8:57 MT on 1/31/2019.

more
0 0 841
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2018-01-10
  Description:

Response to Meltdown and Spectre Vulnerabilities

  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:

These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents. (Source: Meltdown and Spectre)

  Systems Affected:Desktop, Laptop, and Cloud computers may be affected by Meltdown. Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. (Source: Meltdown and Spectre)
  Solution Status:Patched (Meltdown; AWS Systems)
  Discovered By:

Several security researchers. See "Who reported Meltdown" and "Who reported Spectre?" here: Meltdown and Spectre

  Relevant Changesets:N/A

Summary:

Last week, security researchers released findings about a couple of impactful security vulnerabilities known as Meltdown and Spectre (see https://spectreattack.com/). Openness and transparency are important to us: we want you to know how we have responded to these vulnerabilities.

Instructure systems are hosted on Amazon Web Services (AWS). One of the biggest concerns about these vulnerabilities is their impact on shared-compute infrastructure. Researchers reported these vulnerabilities to AWS and other infrastructure providers several weeks before disclosing them publicly. AWS aggressively identified and patched all exposed systems, including all infrastructure supporting Instructure’s instances. AWS describes their efforts here: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

We believe the near and present attack vectors associated with these vulnerabilities have been removed as a result of AWS’ patching. Due to the nature of these vulnerabilities impacting CPUs (even on virtualized systems), Instructure is applying the associated patches (as they become available) to Instructure’s instances hosted on AWS while meeting our availability SLAs and maintenance-notification commitments.

We encourage customers to update their systems and browsers as patches become available.

Status:

All AWS systems were patched as of 20:10 MT on 01/09/2018

more
4 0 698
Instructure
Instructure

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2017-11-09
  Description:

Two open redirect issues found in LTI tool handling

  Criticality Level:Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:

A victim clicking a malicious link could send data to an attacker’s website.

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:

BugCrowd Security Researcher

  Relevant Changesets:

Ensure nil domain is not used to match external tools · instructure/canvas-lms@2e1c33e63c · GitHub

Fix XSS and tool registration endpoint vulnerabilities · instructure/canvs-lms@c64962fd8f · GitHub


Summary:

An open redirect at /courses/:course_id/external_tools/retrieve?url=... was discovered which did not filter URLs like https://domain.com./ with trailing dot. The form with the signed oauth post data is being created and being transmitted to the attacker's web server.


An open redirect at /courses/:course_id/lti/tool_proxy_registration?tool_consumer_url… which could have also been used to create a reflected XSS vulnerability, where a victim had permission to install an LTI tool.

Status:

All systems were patched as of 17:01 MT on 11/8/2017


more
1 0 659
Instructure
Instructure

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2017-02-13
  Description:

XXE Vulnerability in Quizzes QTI Upload

  Criticality Level:Critical
  Impact:

Potential read only access to underlying filesystem

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:

Unnamed BugCrowd Security Researcher as part of an annual vulnerability assessment

  Relevant Changesets:

don't resolve entities in xml · instructure/QTIMigrationTool@729a35313c · GitHub


Summary:

An external security audit discovered a vulnerability in the QTI Migration tool which is used in converting QTI version 1.x data into QTI 2.0 content packages. The vulnerability allowed read only access to the underlying filesystem. This means that a potential attacker could read files from various system level directories where configuration and system user details are stored.


An internal forensic investigation found no evidence that the vulnerability, which has existed on the system for some time, has been exploited during the time it was present on the system.

Status:

All systems were patched as of 13:21 MT on 2/3/2017


more
0 0 566
Instructure
Instructure

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2017-02-07
  Description:

MathML Stored XSS

  Criticality Level:Moderately Critical
  Impact:

Cross Site Scripting / Potential Exposure of Sensitive Data

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:

Fyoorer, as part of a bugcrowd audit

  Relevant Changesets:

prevent storing scripts in mathml href tags · instructure/canvas-lms@5f3a8938c6 · GitHub


Summary:

An external security audit discovered a misconfigured whitelist for protocols allowed in href attributes for MathML tags (<math href=”...”>). This allowed a potential attacker to run javascript when a mathml tag was clicked in Safari or Firefox, where MathML is supported.

Status:

              All systems were patched as of 11:01 MT on 2/7/2017


more
0 0 339
Instructure
Instructure

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2017-01-11
  Description:

Arbitrary Collaboration Enrollment

  Criticality Level:Highly Critical
  Impact:Potential Exposure of Sensitive Data
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Internal Audit
  Relevant Changesets:

Restrict collaboration membership by context · instructure/canvas-lms@67491e3b · GitHub


Summary:

During a routine security audit of the Canvas code base and platform, a bug with permission checking for collaboration enrollment was discovered which could allow a teacher or admin to enroll users in a course collaboration that they normally would not have been allowed to be enrolled in. This could lead to a situation which would allow access to basic user information that the teacher or admin might not otherwise have access to.

Status:

All systems were patched as of 15:14 MT on 1/5/2017


more
0 0 182
Instructure
Instructure

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2016-06-01
  Description:Developer Key Privilege Escalation
  Criticality Level:Very High
  Impact:Potential manipulation of developer keys / Identity forgery
  Systems Affected:Potential impact includes all developer keys issued within an instance of Canvas
  Solution Status:Closed/Resolved
  Discovered By:Cody Cutrer
  Relevant Changesets:

fix permission check of updating developer keys · instructure/canvas-lms@24c57dc · GitHub


Summary:

In October of 2015,  a code change which allowed an account admin to manage developer keys generated within their own instance of Canvas was introduced   into the codebase. It was recently discovered during a routine review of the code that the permission checks had weak scope boundaries, so an admin with       permissions to modify developer keys in their own instance/account, were inadvertently able to modify any developer key within the system.

For users of the open source version of Canvas, the vulnerability surface area is much smaller since there's only one root account, and typically the root account admins are also site admins, which would have permissions to alter developer keys.

Status:

The Instructure engineering team has developed, tested, and promoted a hotfix to the production Canvas platform. They have also updated the Canvas open source git repository with a security patch prior to the release of this bulletin.


more
0 0 339
Instructure
Instructure

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2016-03-07
  Description:SSLv2 DROWN Attack
  Criticality Level:High
  Impact:Potential Exposure of Sensitive Data
  Systems Affected:Potential impact includes all platforms/sites protected by HTTPS
  Solution Status:Closed/Resolved
  Discovered By:Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, and Yuval Shavitt
  Relevant Changesets:

None


Summary:

Recently, a new SSL vulnerability was discovered by a group of security researchers. The vulnerability has been given the name "DROWN", which is an acronym for "Decrypting RSA with Obsolete and Weakened eNcryption." The gist of the vulnerability is if a site is configured to support SSLv2, which is a deprecated version of the SSL (Secure Socket Layer) protocol, the encryption can be compromised by a third party.

Status:

Instructure operations has concluded that only one of its sites/services, an internal QA tool, was configured with the deprecated version of the SSL protocol. The potentially vulnerable site has since been reconfigured to disable SSLv2 and all associated cyphers.

Because of strict network isolation between pre-production and production environment, the risk to production environments was mitigated.

Further Information:

https://drownattack.com/ 

https://www.openssl.org/news/secadv/20160301.txt

NVD - Detail

https://drownattack.com/drown-attack-paper.pdf


more
0 0 392
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-11-07  (Last update can be found below the document title)
  Description:Multiple stored XSS vulnerabilities
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Insertion of arbitrary HTML code
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By: Internal audit
  Relevant Changesets:

fix html escaping on content migrations page · instructure/canvas-lms@08761ca · GitHub


Summary:

               During a routine security audit of the Canvas code base and platform, a number of cross site scripting vulnerabilities were identified. Once identified and                confirmed, these vulnerabilities were patched by the Instructure engineering team.

Status:

All systems were patched as of 15:32 MT on 11/6/2014


more
0 0 161
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-11-25  (Last update can be found below the document title)
  Description:CSRF and XSS vulnerability within Canvas
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Insertion and execution of arbitrary HTML code
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Reported by customer via a third-party security assessment
  Relevant Changesets:


Summary:

During a routine security audit of the Canvas code base and platform performed by a third party at the request of a csutomer, a cross site forgery request vulnerability was identified. Once identified and confirmed, the vulnerability was verified, confirmed and patched by the Instructure engineering team.

Status:

All systems were patched as of 17:53 MT on 11/19/2014


more
0 0 127
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-11-07  (Last update can be found below the document title)
  Description:

Multiple cross site scripting vulnerabilities were   discovered within the Canvas codebase during a routine security audit. The cross site scripting vulnerabilities could allow for the insertion and storage of arbitrary HTML code into the Canvas application.

  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Insertion of arbitrary HTML code
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Internal audit
  Relevant Changesets:

fix html escaping on content migrations page · instructure/canvas-lms@08761ca · GitHub 


Summary:

During a routine security audit of the Canvas code base and platform, a number of cross site scripting vulnerabilities were identified. Once identified and confirmed, these vulnerabilities were patched by the Instructure engineering team.

Status:

All systems were patched as of 15:32 MT on 11/6/2014


more
0 0 123
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-1-14  (Last update can be found below the document title)
  Description:A vulnerability was discovered in SSLv3 which could allow a remote attacker to force a TLS downgrade negotiation, which could result in SSLv3 with weak ciphers being used. Once downgraded, the traffic is then susceptible to a man in the middle (MITM) attack
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Allows unauthorized disclosure of information
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Google Security
  Relevant Changesets:

Google Online Security Blog: This POODLE bites: exploiting the SSL 3.0 fallback

CVE -CVE-2014-3566 


Summary:

On October 14th, Google security released an advisory regarding a newly discovered SSLv3 attack. Once the Instructure InfoSec team was made aware of the advisory, it took immediate action to disable SSLv3 and its related ciphers on the Canvas platform.

Status:

All systems were patched as of 14:33 MT on 10/14/2014


more
0 0 124
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-10-13  (Last update can be found below the document title)
  Description:A path traversal vulnerability was discovered which potentially allowed for limited traversal of the host server’s filesystem and possible unauthorized access to files readable by the parent process.
  Criticality Level:Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Potential unauthorized disclosure of information
  • Potential unauthorized file system access
  Systems Affected:Canvas LMS
  Solution Status:Remediated
  Discovered By:Issue was reported by Nabeel Ahmed
  Relevant Changesets:

N/A


Summary:

                  A path traversal vulnerability was discovered which potentially allowed for limited traversal of the host server’s filesystem and possible unauthorized access                   to files readable by the parent process.

                  Once the vulnerability was reported and validated, steps were immediately taken to address the vulnerability. Furthermore, a full impact analysis was                   performed to determine if the vulnerability had been exploited.

                  The Instructure InfoSec team found no evidence of an exploit.

Status:

All vulnerable systems were patched against the vulnerability on the same day it was reported.


more
0 0 91
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-09-24  (Last update can be found below the document title)
  Description:GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
  Criticality Level:Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Allows unauthorized disclosure of information
  • Allows unauthorized modification
  • Allows disruption of service
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:

US-CERT Security Bulletins

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

  Relevant Changesets:

N/A


Summary:
On September 24, 2014 the United States Computer Emergency Readiness Team (US-CERT) released a security bulletin regarding a newly discovered vulnerability within the GNU Bourne Again Shell (Bash), which could allow an attacker to execute arbitrary code on a target machine.

Based on the design of the Canvas platform, and active security/access controls, we determined that the risk to the Canvas platform was very low, but felt it prudent to patch all systems to remove any potential for an attack or exploit.

Status:

All systems were patched for both CVEs as of September 27, 2014


more
0 0 114
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-09-12  (Last update can be found below the document title)
  Description:"View Page Source" may users' information to students in accounts with Profiles enabled
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Possible unauthorized access to users' information
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Reported to support by customer at 5:53 PM MT on 9/11/2014
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/9fb07df165784207eaf2b44aecf0e26f002dd62b


Summary:

A security issue was reported to Instructure Customer Support by a institutional customer who discovered a potential data leakage issue with Canvas. In an account with Profiles enabled, when a student pulls "view source" on another user's course-level user page (.../courses/XXXX/users/XXXX), the resulting HTML may reveal information about the other user, including their login ID, primary email address, and enrollments.

Status:

Fixed in Canvas Cloud as of 9/12/2014. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.


more
0 0 71
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-07-24  (Last update can be found below the document title)
  Description:

Boundary issues with rubyzip gem

  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Possible unauthorized access to filesystem and files
  • Possible escalation of privileges
  • Possible execution of arbitrary code
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Internal audit
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/a6e104a20b0e6da4251cf7ed90b4eecea0937130


Summary:

A vulnerability was discovered within the rubyzip gem used by Canvas which could allow an attacker to gain access to the filesystem, directories, files and/or execute arbitrary code via symbolic links.

Status:

Fixed in Canvas Cloud as of 7/24/2014. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.


more
0 0 59
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-07-11  (Last update can be found below the document title)
  Description:Inadvertent preview of locked files
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Possible information leakage and/or unauthorized access
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Customer discovered and reported
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/13dbb09bd420b4e268b0a6720c31c56367df9538


Summary:

A vulnerability was discovered within the Canvas codebase which could allow for unauthorized previewing of locked documents.

Status:

Fixed in Canvas Cloud as of 7/11/2014. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.


more
0 0 77
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-06-27  (Last update can be found below the document title)
  Description:Vulnerability in Ruby's implementation of SAML
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Possible information leakage and/or unauthorized access
  Systems Affected:CanvasLMS
  Solution Status:Patched
  Discovered By:Vladislav Mladenov, Christian Mainka, Florian Feldmann and Julian Krautwald Horst Görtz Institute for IT-Security,http://www.nds.rub.de/chair/news/RelevantChangesetshttps://github.com/instructure/canvas-lms/commit/...
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/034cae39cc84ec924b4322cfb5fd7ea0fa89c56b


Summary:

A vulnerability exists within version 0.1.28 of the ruby-saml-mod Ruby gem. This vulnerability could potentially allow for information leakage if the correct set of circumstances were present. This vulnerability is fixed in version 0.1.29 of the Ruby gem.

Status:

Fixed in Canvas Cloud as of 6/27/2014. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.


more
0 0 184
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-06-10  (Last update can be found below the document title)
  Description:SpeedGrader XSS vulnerability
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Insertion of arbitrary HTML code
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Customer reported and internal audit
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/a62bd4725084e58ac50d6e63e4b9a3eb20eecff8


Summary:

A bug in HTML validation code allowed for the insertion of arbitrary HTML code into the Canvas application.

Status:

Fixed in Canvas Cloud as of 6/10/2014. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.


more
0 0 121
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-06-05  (Last update can be found below the document title)
  Description:Course Copy Exploit
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Exposure of Sensitive Data
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Internal Audit
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/937d87a01bfd8aed04e7e54b13620d359872f871


Summary:

A bug in permissions checking could allow a malicious user to initiate a course copy using a source course they do not normally have access to. This could allow access to course content that the user would not normally see.

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.


more
0 0 61
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-05-08  (Last update can be found below the document title)
  Description:SQL Sanitization Vulnerability
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Manipulation of data
  • Exposure of sensitive information
  • Privilege escalation

Authentication Level: Logged in Canvas admins and instructors

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Instructure Internal Audit
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/1f231d1369a4fbfeac4211524210b87d6e1a669a


Summary:

A security audit has identified a SQL injection attack vector in the course import functionality, available to account admins and instructors.

Status:

A fix has been developed and deployed to Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.


more
0 0 147
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-05-01  (Last update can be found below the document title)
  Description:Cross Account Login Creation
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Exposure of Sensitive Data
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Internal Audit
  Relevant Changesets:

fix permission checks around pseudonym creation · instructure/canvas-lms@19d4d95 · GitHub 


Summary:

A bug in permissions checking could allow a malicious user to create logins in accounts that they wouldn't normally be allowed to. This could allow access to basic account information, depending on authentication settings.

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.


more
0 0 67
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-04-08  (Last update can be found below the document title)
  Description:Update on CVE-2014-0160 (aka "the heartbleed bug")
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Potential Exposure of Sensitive Data
  Systems Affected:Canvas LMS
  Solution Status:Closed/Resolved
  Discovered By:IT security teams at Codenomicon and Google
  Relevant Changesets:

DOUBLE_CLICK_TO_ENTER_RELEVANT_CHANGESETS


Summary:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing theinformation protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

Status:

Amazon has confirmed that all vulnerable hosted services have been patched against the heartbleed bug. All SSL certificates and private keys for the *.instructure.com top level domain were replaced at 12:00 PM MT on April 10, 2014. We continue to work with organizations that have "vanity" URLS (e.g. canvas.organization-name.com) to replace their SSL certificates and private keys.

Further Information:

http://heartbleed.com/

http://www.openssl.org/news/secadv_20140407.txt (published 7th of April 2014, ~17:30 UTC)

http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities (published 7th of April 2014, ~18:00 UTC)

http://heartbleed.com (published 7th of April 2014, ~19:00 UTC)

http://www.ubuntu.com/usn/usn-2165-1/

http://www.freshports.org/security/openssl/

https://blog.torproject.org/blog/openssl-bug-cve-2014-0160

https://rhn.redhat.com/errata/RHSA-2014-0376.html

http://lists.centos.org/pipermail/centos-announce/2014-April/020249.

https://lists.fedoraproject.org/pipermail/announce/2014-April/00320.

http://www.kb.cert.org/vuls/id/720951

https://www.cert.fi/en/reports/2014/vulnerability788210.html

https://www.cert.at/warnings/all/20140408.html

http://www.circl.lu/pub/tr-21/


more
0 0 143
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-04-04  (Last update can be found below the document title)
  Description:Cross Account Enrollment Creation
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Exposure of Sensitive Data
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Kira Lawrence, Carol Cobb
  Relevant Changesets:

enrollments API requires pseudonym on course's root account · instructure/canvas-lms@f0a17fe · GitHu...


Summary:

A bug in permissions checking could allow a malicious admin or teacher to enroll users in their course that they wouldn't normally be allowed to. This could allow access to basic user information.

Status:

Fixed in Canvas Cloud. Does not affect Canvas CV, as it is not multi-tenant.


more
0 0 48
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-03-11  (Last update can be found below the document title)
  Description:

Arbitrary Enrollment Deletion

  Criticality Level:

Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )

  Impact:

Restricted Privilege Escalation

Manipulation of Sensitive Data

  Systems Affected:

Canvas LMS

  Solution Status:Patched
  Discovered By:

Shea Silverman and Brandon Stull

  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/a1b5d8ab1298d8aa03f8312cbb50d24a6a66dd6e


Summary:

A bug in permissions checking could allow a malicious user to mark enrollments as deleted in a course that they wouldn't normally have access to do so in. No data would be permanently lost, as the enrollment was only soft deleted and could be restored.

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.


more
0 0 51
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-03-03  (Last update can be found below the document title)
  Description:False Zip File Size Attack
  Criticality Level:Less Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Denial of Service
  Systems Affected:

Canvas LMS

  Solution Status:

Patched

  Discovered By:

Mike Naberezny

  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/a3cf4748cc4be17c27030728fdd00f79419a2238


Summary:

A malicious user could upload a specially formed zip file in order to bypass Canvas' quota checking and extract much larger files than are meant to be allowed. This attack could potentially be used as a Denial of Service attack vector on job workers, and increase Canvas hosting costs.

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.


more
0 0 67
Community Member

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-02-14  (Last update can be found below the document title)
  Description:SAML XML Signature Wrapping
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:

Manipulation of data

Exposure of Sensitive Information

Privilege escalation

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:

Vladislav Mladenov, Christian Mainka, Florian Feldmann and Julian Krautwald

Horst Görtz Institute for IT-Security, http://www.nds.rub.de/chair/news/

  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/b54d2801df91bf1f9ff69dd2d70daef1c37d3e87

https://github.com/instructure/canvas-lms/commit/1587b760013449cafb9474f15b8797b989069839 


Summary:

An attack against Canvas' SAML single sign-on implementation was discovered by security researchers. The attack could potentially allow a malicious Canvas user to use their valid SAML credentials to forge a login as a different user at their institution, giving them access to Canvas as that other user.

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.


more
0 0 150
Labels