TreasuryDirect.gov Vulnerability to Apache Struts CVE-2017-5638 (Department of Treasury)
| Multi Request | TreasuryDirect.gov Vulnerability to Apache Struts CVE-2017-5638 |
| Submitted | June 16, 2018 |
| Est. Completion | None |
MuckRock users can file, duplicate, track, and share public records requests like this one. Learn more.
Communications
From: Rob Rose
To Whom It May Concern:
Pursuant to the Freedom of Information Act, I hereby request the following records:
Records relating to whether TreasuryDirect.gov and/or other Bureau of Fiscal Service websites were vulnerable to the Apache Struts vulnerability reported in CVE-2017-5638 on March 10th, 2017 and if so, when the webserver(s) were patched with the appropriate Apache Struts updates to mitigate the vulnerability. The first versions to contain fixes were Struts 2.3.32 or Struts 2.5.10.1 and all versions of Struts 2.3 and 2.5 after 2.3.5 and 2.5 were vulnerable.
I am in particular interested in the user flow beginning at https://www.treasurydirect.gov/RS/UN-Display.do as the `.do` extension is typically associated with Apache Struts webservers. I am also requesting that any fees be waived as the CVE 2017-5638 vulnerability is of notable public interest as it was used in the Equifax data breach of 143 million Americans announced in September of 2017.
The requested documents will be made available to the general public, and this request is not being made for commercial purposes.
In the event that there are fees, I would be grateful if you would inform me of the total charges in advance of fulfilling my request. I would prefer the request filled electronically, by e-mail attachment if available or CD-ROM if not.
Thank you in advance for your anticipated cooperation in this matter. I look forward to receiving your response to this request within 20 business days, as the statute requires.
Sincerely,
Rob Rose
From: Department of Treasury
[cid:image001.jpg@01D0A2E1.4C3000A0]
The U.S. Department of the Treasury has received the information you submitted to the FOIA@TREASURY.gov<mailto:FOIA@TREASURY.gov> mailbox.
If you are submitting a FOIA request, this courtesy reply does not replace the acknowledgement letter which will include a FOIA case number once your request has been entered into our FOIA Request Tracking System.
If you are seeking the status of a pending FOIA request for which you have a FOIA case number, please call (202) 622-0930 to obtain the status of your request.
Please visit our FOIA Library at http://www.treasury.gov/FOIA/Pages/reading_room.aspx.
Thank you for contacting the U.S. Department of the Treasury.
-
image001
From: Muckrock Staff
To Whom It May Concern:
I wanted to follow up on the following Freedom of Information Act request, copied below, and originally submitted on June 16, 2018. Please let me know when I can expect to receive a response, or if further clarification is needed.
Thanks for your help, and let me know if further clarification is needed.
From: Department of Treasury
[cid:image001.jpg@01D0A2E1.4C3000A0]
The U.S. Department of the Treasury has received the information you submitted to the FOIA@TREASURY.gov<mailto:FOIA@TREASURY.gov> mailbox.
If you are submitting a FOIA request, this courtesy reply does not replace the acknowledgement letter which will include a FOIA case number once your request has been entered into our FOIA Request Tracking System.
If you are seeking the status of a pending FOIA request for which you have a FOIA case number, please call (202) 622-0930 to obtain the status of your request.
Please visit our FOIA Library at http://www.treasury.gov/FOIA/Pages/reading_room.aspx.
Thank you for contacting the U.S. Department of the Treasury.
-
image001
From: Department of Treasury
Mr. Rose:
We emailed a letter to you on 7/16/18 regarding this request. Please let me know if you did not receive it.
Sincerely,
*******************
Denise K. Nelson
Co-Disclosure Officer
Legislative & Public Affairs
Bureau of the Fiscal Service