CRA Website Gets Shut Down Over The Weekend To Patch A Serious Flaw

If you’re in Canada and were planning to file your taxes this past weekend, you likely had to find something else to do as the Canada Revenue Agency website was shut down over the weekend to patch a serious flaw. The site was back up as of 5:00PM Sunday after being taken down on Friday. But other than words like this, they aren’t saying why they took the site down:

The CRA acted quickly to temporarily take down our online services, including electronic filing, and put in place the necessary maintenance security patches to ensure that all information and systems remained safe

Okay. So they patched something. My first thought was that they patched their webserver so that they don’t get hit by someone taking advantage of the Struts 2 vulnerability that is out in the wild. So I used Netcraft to confirm or deny that. The report that I got was kind of surprising. It seems that http://www.cra-arc.gc.ca is running older versions of Apache Web Server that is vulnerable to Struts 2. That seems to be a #fail on the surface. But to be fair, they appear to be behind a F5 neworks Big-IP for protection and content delivery purposes, so I am not likely seeing what they’re really running. Thus it is an open question as to what got patched. But I am betting that it is Struts 2 related as the CRA said in its statement that they patched something that affected “websites worldwide.” Struts 2 fits that description.

This isn’t the first time that the CRA has had to take down their site because of a security issue. They got hit by someone who pwned them via an Open SSL bug known as Heartbleed a few years back. That led to a 19 year old being put in the clink because of it. But not before other Canadian Government websites had to be taken down to fix the issue and personal data was leaked.

 

Advertisements

One Response to “CRA Website Gets Shut Down Over The Weekend To Patch A Serious Flaw”

  1. […] I posted a story on the Canada Revenue Agency site being shut down over the weekend. At the time the CRA posted this as the […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: