FSA Notice on: Exploitation of Ellucian Banner System Vulnerability - update

["Jim A. Bole" <jbole () STEVENSON EDU>]

Josh,

I see that FSA has acknowledged that Ellucian vulnerabilities were not exploited:

https://ifap.ed.gov/eannouncements/080619ITSecurAlertExploitationEllucianBannerSysVulnerabilityUpdate1.html

Did FSA provide any explanation as to how they made their initial determination and, more importantly, what they are 
doing to prevent this type of false attribution in the future?

Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu | O: 443-334-2696



From: Sosnin, Josh <Josh.Sosnin () ELLUCIAN COM>
Sent: Friday, July 19, 2019 9:23 PM
Subject: Re: [EXT]: [SECURITY] FSA Notice on: Exploitation of Ellucian Banner System Vulnerability


We have posted an update on this issue at the link below.  Please feel free to reach out to me with any questions.

https://www.ellucian.com/news/ellucian-banner-system-vulnerability-update

Thanks,

Josh

--
Josh Sosnin | VP and CISO | ellucian
CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged 
information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the 
sender and delete this email from your system. Thank you.


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Brian Kelly <bkelly () EDUCAUSE EDU<mailto:bkelly () EDUCAUSE EDU>>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>>
Date: Wednesday, July 17, 2019 at 8:50 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [EXT]: [SECURITY] FSA Notice on: Exploitation of Ellucian Banner System Vulnerability

**External Email**
If your institution is running Banner Web Tailor versions 8.8.3, 8.8.4, and 8.9 and/or Banner Enterprise Identity 
Services versions 8.3, 8.3.1, 8.3.2, and 8.4, Fed Student Aid has a security alert about a vulnerability needing 
patching if it's not patched already: 
https://ifap.ed.gov/eannouncements/071719ITSecurAlertExploitationEllucianBannerSysVulnerability.html<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fifap.ed.gov%2Feannouncements%2F071719ITSecurAlertExploitationEllucianBannerSysVulnerability.html&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7C0247e5adc4554c96455808d70b19deea%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636990078058860644&sdata=MTtSDC4ljNTvY8I5IBaB0b9%2B7%2BC%2BBvp73MpZ%2BOJHRi0%3D&reserved=0>


Brian Kelly, CISSP, CISM, CEH
Director, Cybersecurity Program

EDUCAUSE
Uncommon Thinking for the Common Good
Follow HEISC on 
LinkedIn<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fhigher-education-information-security-council-heisc-%2F&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7C0247e5adc4554c96455808d70b19deea%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636990078058860644&sdata=1ng%2BoI6fffW4Q5QgkeeRg9hZB0tHOXGqOKTdxvgdHyA%3D&reserved=0>
 | Twitter: @HEISCouncil | bkelly () educause edu<mailto:bkelly () educause edu>

direct: 720.406.6757 | mobile 475.449.6440 | 
educause.edu<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2F&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7C0247e5adc4554c96455808d70b19deea%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636990078058870648&sdata=MPMnb1Uw3mGDJc7wsB4PipaF6hzR1Y%2FZnd13hEQbEWw%3D&reserved=0>
1150 18th Street, NW, Suite 900 Washington, DC 20036




**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

<<attachment: winmail.dat>>