STE WILLIAMS

Canada Revenue Agency (CRA) says its online services were taken offline over the weekend so it could patch the Apache Struts 2 vulnerability.

The vulnerability in the framework is trivial to exploit: just send an upload with an invalid Content-Type value, it throws an exception, and opens the target to remote code execution.

Shortly after the Struts 2 vulnerability was discovered last week, vulnerability researchers at Cisco’s Talos said they’d observed it under “active attack”.

The Canada Revenue Agency held a press conference in Ottawa Monday afternoon, and confirmed Struts 2 was the reason it took down its services over the weekend.

According to public broadcaster CBC, Treasury Board of Canada Secretariat deputy CIO Jennifer Dawson said the hackers only got as far as accessing already-public information on the CRA Website.

The Canadian government also says Statistics Canada’s Website was taken down last Thursday for the same patch.

Shared Service Canada COO John Glowacki said while forensic work is continuing, analysis of system logs mean SSC believes nobody “got inside” CRA’s systems.

“We will not speak for other countries, but we will say we have information that some other countries are having greater problems with this specific vulnerability,” he added.

Expect vendors to start issuing their own advisories about Struts 2. Cisco has posted its first product advisory, and so far there’s more “confirmed not vulnerable” than vulnerable products.

So far, only Cisco’s Identity Services Engine, Prime Service Catalog Virtual Appliance, and Unified SIP Proxy Software need fixing. There is, however, an extensive list of products still under investigation.

VMware’s also run up a warning flag, issuing an advisory reporting exposures in Horizon Desktop as-a-Service, vCenter Server, vRealize Operations Manager and vRealize Hyperic Server. Patches are pending. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/14/canada_struts_2_outage/