Vulnerabilities in the HTTP/2 protocol were recently announced a per CVE-2023-44487.

Quandis uses cloud services from AWS, Azure and Google.

These cloud providers have remediated the HTTP/2 issue as per the links below.

• AWS Bulletin
• Google Update
• Microsoft Response

Our web applications are hosted in AWS which are fronted by AWS Application Load Balancers, and AWS has remediated  the HTTP/2 issue.

The recent failure of SVB and Signature Bank does affect Quandis or QBO-based systems.
Quandis does not have a relationship with either bank and none of our cloud service providers are impacted ( AWS, Microsoft, Google )

Quandis is not impacted by the Apache Log4j2 vulnerability flagged by CVE-2021-44228.

Quandis does not use Kaseya VSA Software, and as such, we are not affected by the recent ransomware attacks.

1. Does your company use Kaseya VSA Software? (Y/N)
   • NO
2. If you answered YES above:
   • Have you scanned or otherwise assessed your networks to ensure unauthorized parties have not gained access? (Y/N)
     • N/A
   • Have you experienced any unauthorized activity or access within your environment as a result of the Kaseya VSA vulnerabilities aforementioned? (Y/N)
     • N/A
   • Have you taken the steps to implement the cybersecurity best practices recommended by CISA and the FBI (https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa) ?  (Y/N)
     • N/A
   • If not, please provide details of the steps you have taken.
     • N/A
3. Have you inquired of your third parties that process Client data (fourth parties to the Client) to determine the impact to their systems and remediation steps being taken? (Y/N)
   • We have had no integration partners indicate they are impacted by the attack.

Please forward any detailed questions to compliance@quandis.com.