Progress Software Corporation recently disclosed a critical SQL injection vulnerability in its MOVEit file transfer software. This vulnerability allowed unauthenticated access to underlying database, and enabled attackers to extract structure and content from the database. Ransomware attackers have recently exploited this vulnerability to steal personal data of several customers of Zellis HR and payroll systems that use MOVEit for file transfers.
Crown understands that some of its customers use Zellis HR and Payroll systems, and may be vulnerable to similar threats. This bulletin is to advise them to review their systems to ensure appropriate data protection measures by acting upon remediation measures recommended by Zellis and/or Progress Software Corporation.
Crown has reviewed its own products and services to determine if they are susceptible to the MOVEit vulnerability and require mitigation. This bulletin provides the current status of any vulnerability by product and service for customers.
The Crown WFM and DMS applications DO NOT USE or require the MOVEit product. Therefore, Crown applications do not have CVE-2023-34362 vulnerability.
Crown constantly reviews the security position and applies necessary mitigations as an integral part of its Managed Cloud Services.
The Crown WFM and DMS applications delivered as managed cloud services are not exposed to MOVEit exploits.
Crown applications provide SFTP and FTP/S secure file transfer interfaces that are not affected by this vulnerability. Further, Crown file transfer services are not implemented over SQL databases.
For customers who have licensed the Crown WFM or DMS software and hosted in-house or under their own arrangement with cloud platforms, Crown advises urgent review of any use of MOVEit software and recommended remediation.
This is available from Progress Software at their site available from MOVEit Transfer Critical Vulnerability (May 2023) - Progress Community.
-- End of Bulletin --