The open-source Apache Struts project first disclosed a high impact critical remote code execution vulnerability on March 6 and now it has claimed its first public victim. The Government of Canada confirmed on March 13 that some of its servers were breached by attackers making use of the Apache Struts flaw, also identified as CVE-2017-5638.
While the public disclosure for the Apache Struts flaw came on Monday March 6, Canadian Federal IT security administrators apparently weren’t aware of the issue until late on Wednesday March 8. The admission came in an Ottawa briefing to Canadian media agencies on March 13.
The Government of Canada took multiple sites down on March 9 including Statistics Canada as well as the Canada Revenue Agency (CRA) websites, with service not restored until March 12.
According to Canadian government officials, only the Statistics Canada website was actually breached, though no personally identifiable or confidential information was stolen. In a video from the press briefing posted by the CBC, John Glowacki, chief operating officer of Shared Services Canada stated that nothing happens on government systems that isn’t logged.
“We’re able to trace through and identify who had access to what at a given time,” Glowacki said.
According to Glowacki’s analysis, the window of vulnerability on the Canadian government systems was limited. He hinted that it is likely that Struts vulnerability is also having an impact on other countries beyond just Canada.
“We will not speak for other countries, but we will say we have information that some other countries are having greater problems with this specific vulnerability,” Glowacki said.
This isn’t the first time the Government of Canada has had to shut down servers and specifically the Canada Revenue Agency’s systems, due to a new security flaw. Back in April 2014, when the open-source Heartbleed flaw was first reported, attackers took early aim Canada’s tax website. Heartbleed was a vulnerability in the open-source OpenSSL cryptographic library. The Heartbleed attack against the Canada Revenue Agency website led to the tax filing website being shutdown for several days, resulting in an extended deadline in 2014 for Canadians to file their federal tax returns.
Canadian law enforcement officials moved quickly in the Heartbleed attack against the Canada Revenue Agency and also made the first public arrest related to Heartbleed.
The challenge with Struts, much as it was with Heartbleed is that it is a component that is embedded into many different types of systems, that are often difficult to easily patch. What has also now become apparent is how the Struts issue will impact products from multiple technology that make use of the vulnerable component.
On March 13 a week after the Apache Struts disclosure, VMware issued an initial advisory warning of Stuts vulnerability exposure in multiple products including the Horizon Desktop as a Service Platform, vCenter Server, vRealize Operations Manager and the vRealize Hyperic Server.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.