TreasuryDirect.gov Vulnerability to Apache Struts CVE-2017-5638 (Bureau of Fiscal Service)

Rob Rose filed this request with the Bureau of Fiscal Service of the United States of America.
Tracking #

2018-06-104

Multi Request TreasuryDirect.gov Vulnerability to Apache Struts CVE-2017-5638
Est. Completion Aug. 14, 2018
Status
Fix Required

Communications

From: Rob Rose


To Whom It May Concern:

Pursuant to the Freedom of Information Act, I hereby request the following records:

Records relating to whether TreasuryDirect.gov and/or other Bureau of Fiscal Service websites were vulnerable to the Apache Struts vulnerability reported in CVE-2017-5638 on March 10th, 2017 and if so, when the webserver(s) were patched with the appropriate Apache Struts updates to mitigate the vulnerability. The first versions to contain fixes were Struts 2.3.32 or Struts 2.5.10.1 and all versions of Struts 2.3 and 2.5 after 2.3.5 and 2.5 were vulnerable.

I am in particular interested in the user flow beginning at https://www.treasurydirect.gov/RS/UN-Display.do as the `.do` extension is typically associated with Apache Struts webservers. I am also requesting that any fees be waived as the CVE 2017-5638 vulnerability is of notable public interest as it was used in the Equifax data breach of 143 million Americans announced in September of 2017.

The requested documents will be made available to the general public, and this request is not being made for commercial purposes.

In the event that there are fees, I would be grateful if you would inform me of the total charges in advance of fulfilling my request. I would prefer the request filled electronically, by e-mail attachment if available or CD-ROM if not.

Thank you in advance for your anticipated cooperation in this matter. I look forward to receiving your response to this request within 20 business days, as the statute requires.

Sincerely,

Rob Rose

From: Bureau of Fiscal Service

Mr. Rose:

Please see the attached letter in reference to the above-mentioned FOIA request.

Sincerely,

*******************
Denise K. Nelson
Co-Disclosure Officer
Legislative & Public Affairs
Bureau of the Fiscal Service

  • 2018-06-104 MuckRock - Rose - Apache Struts vulnerability - extension

From: Bureau of Fiscal Service

Mr. Rose:

I apologize for the delay in our response.

We have completed the records search and we are currently reviewing the records to finalize them for release. We hope to have a response to you within the next 7-10 business days.

Sincerely,

*******************
Denise K. Nelson
Co-Disclosure Officer
Legislative & Public Affairs
Bureau of the Fiscal Service

From: Bureau of Fiscal Service

Mr. Rose:

Please see the attached letter and records in response to the
above-mentioned FOIA request.

Sincerely,

*******************

Denise K. Nelson

Co-Disclosure Officer

Legislative & Public Affairs

Bureau of the Fiscal Service

Files

pages

Close
  • 2018-06-104 MuckRock - Rose - Apache Struts vulnerability - extension

  • 2018-06-104 MuckRock - Rose - Apache Struts vulnerability - partial response - B7E

  • 2018.8.16 struts FOIA request