The vulnerability is not considered severe as it is only accessible via the Channel Manager interface which is restricted to portal administrators. In a standard uPortal installation there is no way for an anonymous or non-administrative user to execute the affect code.
Security patch releases uPortal 2.6.1.1 <http://www.jasig.org/uportal/download/uportal-261> and 2.5.3.2 <http://www.jasig.org/uportal/download/uportal-253> have been put out. The bug is fixed in the 3.1.2 <http://www.jasig.org/uportal/download/uportal-312> and 3.0.5 <http://www.jasig.org/uportal/download/uportal-305> releases which came out today. The details of the bug are documented in Jira issue: http://www.ja-sig.org/issues/browse/UP-2515
For those that cannot upgrade to a released version they are encouraged to apply a patch for the issue. Version specific patches are linked below: uPortal 2.5: http://developer.jasig.org/source/rdiff/jasigsvn?csid=47293&u&N uPortal 2.6: http://developer.jasig.org/source/rdiff/jasigsvn?csid=47294&u&N uPortal 3.0: http://developer.jasig.org/source/rdiff/jasigsvn?csid=47295&u&N
uPortal 3.1: http://developer.jasig.org/source/rdiff/jasigsvn?csid=47296&u&N Thank you, -Eric Dalquist
smime.p7s
Description: S/MIME Cryptographic Signature
