Security vulnerabilities in systems are an unfortunate fact of life. The Engineering and Information Technology team in the ICANN org is working hard on many fronts to protect and enhance the security of our systems. From time to time events occur that result in specific and focused security-related activity that can impact the ICANN org and/or community. Because of our commitment to openness and transparency, we are disclosing the following two events to the community. To our current knowledge, neither of these incidents resulted in any compromise of ICANN data.
Intermedia Email Services Issue
The ICANN org outsources email services to a cloud services provider, Intermedia. On 21 August 2017, the ICANN org Information Technology (ICANN IT) department discovered an issue with the client administrative control console for Intermedia-hosted email services. ICANN IT immediately notified Intermedia, conducted a thorough investigation of the issue, and determined that no breach of ICANN Board, org, or community data had occurred as a result of this issue. On 22 August 2017, Intermedia, following its own rapid incident response process, applied remediation.
Apache Struts Jakarta Multipart Parser Vulnerability
On 18 September 2017, the ICANN org conducted a review of internally managed ICANN services and after a preliminary evaluation, found none to be affected by the Apache Struts Vulnerability (CVE-2017-5638). We also initiated a process to contact our externally managed service providers to obtain their assessments of the impact of this issue. We have currently received reports that 16 services are unaffected, and are awaiting responses from our vendors regarding the remaining services.
In light of these two disclosures, we have identified the need to formalize our procedures for appropriately disclosing events like these in the future. We have begun the work of defining this process. When that effort is complete, we will communicate the new transparency guidelines to the community.
If you have any questions or feedback, please email me directly: terry.manderson@icann.org