Apache vulnerability exposes Canadian government websites to hackers

An easily exploitable zero-day vulnerability in Apache Struts 2 forced the Canadian government to take offline the websites associated with Canada Revenue Agency, used for filing tax returns, and Statistics Canada, just before the end of the fiscal year, according to Reuters.

The online security breach was actually experienced by Statistics Canada, but the Canada Revenue Agency site also had to be shut down as precaution because it shared the same vulnerability. Officials assure citizens that the attackers were blocked quickly and got no sensitive data or tax-related information.

“We went after this one specifically because we recognized there was a specific and credible threat to certain government IT systems,” John Glowacki, a government security official, said at a press conference. Allegedly other countries “are actually having greater problems with this specific vulnerability,” he added without giving further details.

The new software bug appeared last week and was announced by the Apache Software Foundation that immediately released a patch.

Apache Struts, open-source software for Java apps, is used for websites by many organizations, including governments, banks, airlines and social networks. The vulnerability allowed hackers to access and take over web servers from a remote location.