TreasuryDirect.gov Vulnerability to Apache Struts CVE-2017-5638 (United States Computer Emergency Readiness Team)

Rob Rose filed this request with the United States Computer Emergency Readiness Team of the United States of America.
Tracking #

2018-HQFO-01093, 2018-NPFO-00467

2018-HQFO-01093

Multi Request TreasuryDirect.gov Vulnerability to Apache Struts CVE-2017-5638
Est. Completion None
Status
No Responsive Documents

Communications

From: Rob Rose


To Whom It May Concern:

Pursuant to the Freedom of Information Act, I hereby request the following records:

Records relating to whether TreasuryDirect.gov and/or other Bureau of Fiscal Service websites were vulnerable to the Apache Struts vulnerability reported in CVE-2017-5638 on March 10th, 2017 and if so, when the webserver(s) were patched with the appropriate Apache Struts updates to mitigate the vulnerability. The first versions to contain fixes were Struts 2.3.32 or Struts 2.5.10.1 and all versions of Struts 2.3 and 2.5 after 2.3.5 and 2.5 were vulnerable.

I am in particular interested in the user flow beginning at https://www.treasurydirect.gov/RS/UN-Display.do as the `.do` extension is typically associated with Apache Struts webservers. I am also requesting that any fees be waived as the CVE 2017-5638 vulnerability is of notable public interest as it was used in the Equifax data breach of 143 million Americans announced in September of 2017.

The requested documents will be made available to the general public, and this request is not being made for commercial purposes.

In the event that there are fees, I would be grateful if you would inform me of the total charges in advance of fulfilling my request. I would prefer the request filled electronically, by e-mail attachment if available or CD-ROM if not.

Thank you in advance for your anticipated cooperation in this matter. I look forward to receiving your response to this request within 20 business days, as the statute requires.

Sincerely,

Rob Rose

From: United States Computer Emergency Readiness Team

Good Afternoon, Attached is our final response to your request.  If you need to contact this office again concerning your request, please provide the DHS reference number. This will enable us to quickly retrieve the information you are seeking and reduce our response time. This office can be reached at 866-431-0486. Regards, DHS Privacy Office Disclosure & FOIA Program
STOP 0655
Department of Homeland Security
245 Murray Drive, SW
Washington, DC 20528-0655
Telephone:  1-866-431-0486 or 202-343-1743
Fax:  202-343-4011
Visit our FOIA website

  • Final - Transferred to Component - (1) Letter to Requester

From: United States Computer Emergency Readiness Team

June 19, 2018 RobRose MuckRock 411A Highland Ave Somerville, Massachusetts RE:     NPPD Case Number 2018-NPFO-00467 DHS Privacy Office CaseNumber 2018-HQFO-0109 Dear Mr. Rose: This acknowledges receipt of aFreedom of Information Act (FOIA) referral to the U.S. Department of HomelandSecurity (DHS), National Protection and Programs Directorate (NPPD), related toyour June 16, 2018 FOIA request to the DHS Privacy Office, for records relating to whether TreasuryDirect.gov/or other Bureau of Fiscal Service websites were vulnerable to the Apache Struts vulnerability reported inCVE-2017-5638 on March 10, 2017. While processing your request, the DHS Privacy Office determinedthat the records being sought likely fall under the purview of NPPD. Accordingly,your request was referred to this office on June 19, 2018 for review anddirect response to you. Dueto the increasing number of FOIA requests received by this office, we mayencounter some delay in processing your request. Per Section 5.5(a) of the DHSFOIA regulations, 6 C.F.R. Part 5, NPPD processes FOIA requests according totheir order of receipt. Although NPPD’s goal is to respond within 20 businessdays of receipt of your request, the FOIA does permit a 10- day extension ofthis time period. As your request seeks numerous documents that willnecessitate a thorough and wide-ranging search, NPPD will invoke a 10-dayextension for your request, as allowed by Title 5 U.S.C. § 552(a)(6)(B). If youcare to narrow the scope of your request, please contact our office. We willmake every effort to comply with your request in a timely manner. Provisions of the FOIA allow us torecover part of the cost of complying with your request.  We shall charge youfor records in accordance with the DHS FOIA regulations, as they apply tomedia requesters.  As a media requester, you will be charged 10 cents per page for duplication; the first 100 pages are free.  We will construe thesubmission of your request as an agreement to pay up to $25.00. You will becontacted before any further fees are accrued. We have queried the appropriate programoffices within NPPD for responsive records. If any responsive records arelocated, they will be reviewed for determination of releasability. Please beassured that one of the processors in our office will respond to your requestas expeditiously as possible. We appreciate your patience as we proceed withyour request. If you have any questions or wish to discuss reformulation or analternative time frame for the processing of your request, please contact FOIAoffice.  You may send an e-mail to NPPD.FOIA@HQ.DHS.GOV , call free 703-235-2211 , or you may contact our FOIA Public Liaison in thesame manner.  Additionally, you have a right to seek dispute resolutionservices from the Office of Government Information Services (OGIS) whichmediates disputes between FOIA requesters and Federal agencies as anon-exclusive alternative to litigation.  If you are requesting access toyour own records (which is considered a Privacy Act request), you should knowthat OGIS does not have the authority to handle requests made under the PrivacyAct of 1974.  You may contact OGIS as follows:  Office of GovernmentInformation Services, National Archives and Records Administration, 8601Adelphi Road-OGIS, College Park, Maryland 20740-6001, e-mail at ogis@nara.gov;telephone at 202-741-5770; toll free at 1-877-684-6448; or facsimile at202-741-5769. Your request has beenassigned reference number .Please refer to this identifier in any future correspondence. 2018-NPFO-00467 Tocheck the status of an NPPD FOIA request, please visit http://www.dhs.gov/foia-status .Please note that to check the status of a request, you must enter the2018-NPFO-00467 tracking number. Sincerely, NPPD FOIA

From: United States Computer Emergency Readiness Team

June 19, 2018 RobRose MuckRock 411A Highland Ave Somerville, Massachusetts RE:     NPPD Case Number 2018-NPFO-00467 [DHS Privacy Office 2018-HQFO-01093 Dear Mr. Rose: This acknowledges receipt of aFreedom of Information Act (FOIA) referral to the U.S. Department of HomelandSecurity (DHS), National Protection and Programs Directorate (NPPD), related toyour June 16, 2018 FOIA request to the DHS Privacy Office, for records relating to whether TreasuryDirect.gov/or other Bureau of Fiscal Service websites were vulnerable to the Apache Struts vulnerability reported inCVE-2017-5638 on March 10, 2017. While processing your request, the Privacy Office determinedthat the records being sought likely fall under the purview of NPPD. Accordingly,your request was referred to this office on June 19, 2018 for review anddirect response to you. Dueto the increasing number of FOIA requests received by this office, we mayencounter some delay in processing your request. Per Section 5.5(a) of the DHSFOIA regulations, 6 C.F.R. Part 5, NPPD processes FOIA requests according totheir order of receipt. Although NPPD’s goal is to respond within 20 businessdays of receipt of your request, the FOIA does permit a 10- day extension ofthis time period. As your request seeks numerous documents that willnecessitate a thorough and wide-ranging search, NPPD will invoke a 10-dayextension for your request, as allowed by Title 5 U.S.C. § 552(a)(6)(B). If youcare to narrow the scope of your request, please contact our office. We willmake every effort to comply with your request in a timely manner. Provisions of the FOIA allow us torecover part of the cost of complying with your request.  We shall charge youfor records in accordance with the DHS FOIA regulations, as they apply tomedia requesters.  As a media requester, you will be charged 10 cents perpage for duplication; the first 100 pages are free.  We will construe thesubmission of your request as an agreement to pay up to $25.00. You will becontacted before any further fees are accrued. We have queried the appropriate programoffices within NPPD for responsive records. If any responsive records arelocated, they will be reviewed for determination of releasability. Please beassured that one of the processors in our office will respond to your requestas expeditiously as possible. We appreciate your patience as we proceed withyour request. If you have any questions or wish to discuss reformulation or analternative time frame for the processing of your request, please contact FOIAoffice.  You may send an e-mail to NPPD.FOIA@HQ.DHS.GOV , call free 703-235-2211 , or you may contact our FOIA Public Liaison in thesame manner.  Additionally, you have a right to seek dispute resolutionservices from the Office of Government Information Services (OGIS) whichmediates disputes between FOIA requesters and Federal agencies as anon-exclusive alternative to litigation.  If you are requesting access toyour own records (which is considered a Privacy Act request), you should knowthat OGIS does not have the authority to handle requests made under the PrivacyAct of 1974.  You may contact OGIS as follows:  Office of GovernmentInformation Services, National Archives and Records Administration, 8601Adelphi Road-OGIS, College Park, Maryland 20740-6001, e-mail at ogis@nara.gov;telephone at 202-741-5770; toll free at 1-877-684-6448; or facsimile at202-741-5769. Your request has beenassigned reference number .Please refer to this identifier in any future correspondence. 2018-NPFO-00467 Tocheck the status of an NPPD FOIA request, please visit http://www.dhs.gov/foia-status .Please note that to check the status of a request, you must enter the2018-NPFO-00467 tracking number. Sincerely, NPPD FOIA

From: United States Computer Emergency Readiness Team

Greetings,
Please find the attached correspondence related to your Freedom of Information Act request.  If you need to contact this office again concerning your request, please provide the DHS reference number. This will enable us to quickly retrieve the information you are seeking and reduce our response time.
Regards,
National Protection and Programs Directorate
U.S. Department of Homeland Security Phone: 703-235-2211
Fax: 703-235-2052
E-mail:
NPPD.FOIA@dhs.gov
NPPD Website

Files

pages

Close