Aug. 6: Ellucian Banner Update

August 6, 2019

UPDATED AUGUST 6, 2019 — The U.S. Department of Education (Department) has released an update to its July 17 report that cited a known security vulnerability in the Banner Web Tailor and Banner Enterprise Identity Services (BEIS) offerings.

To date, the Department has not found any instances where the Ellucian Banner vulnerability has been exploited or where it is related to the issues described in the original alert. Additionally, Ellucian has conducted its own research and monitoring that has produced no evidence of any attempt to attack the Banner vulnerability. The Department’s research into the impact may be ongoing, and institutions may receive inquiries directly from the Federal Student Aid Cyber Incident Team.

***

July 19, 2019 — The U.S. Department of Education (Department) is working with Ellucian to clarify the previous alert from July 17, 2019. Some of the issues mentioned in the alert may be unrelated to the vulnerability (Vulnerability) for which Ellucian released a patch on May 14, 2019. The Department and Ellucian have no reason to suspect that a breach has occurred as a result of this vulnerability.

Ellucian has found that there are two separate and distinct issues that bear immediate attention:

The Ellucian Banner vulnerability
Fraudulent admissions applications

The Ellucian Banner Vulnerability

Who is Impacted: The vulnerability only occurs in Ellucian Banner Web Tailor versions 8.8.3, 8.8.4, and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4. Although Banner Web Tailor 8.9 was previously listed as impacted, it is a roll-up software release that contains all patches and releases since 8.8 and is not affected. Customers not using these software versions are not impacted by this vulnerability.

Actions for Institutions Using Ellucian Banner System: Patches for this vulnerability were issued by Ellucian on May 14, 2019 and are included in all subsequent roll-up software releases. There is no indication that student or institutional data has been compromised. The patched vulnerability is extremely difficult to exploit and unlikely to occur outside of a laboratory setting. Institutions running Ellucian Banner Web Tailor versions 8.8.3, 8.8.4 or Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4 should immediately apply the previously release patches.

Fraudulent Admissions Applications:

Although it was reported that attackers can leverage the vulnerability discussed above to create accounts, Ellucian believes this is not correct. The issue described in the alert is not believed to be related to the previously patched Ellucian Banner System vulnerability and is not exclusive to institutions using Ellucian products. Attackers are utilizing bots to submit fraudulent admissions applications and obtain institution email addresses through admission application portals.

Ellucian recommends adding reCAPTCHA capabilities to the admission process to reduce the likelihood of experiencing fraudulent applications for admissions, even if institutions are not currently experiencing this issue.

For More Information:

Ellucian and the Department will continue to review this matter and update stakeholders as necessary. Additional information is available at Ellucian’s Customer Center and in Ellucian's FAQ document.