NDIS: Spring4Shell Cybersecurity Vulnerability & Risk
Dear National Disability Insurance Agency,
1. Please provide a copy of the NDIA's Spring4Shell cybersecurity threat and vulnerability assessment.
2. Does the NDIA have any products, services or systems using the Spring Framework (Java)?
3. Has the NDIA or the NDIA's data been impacted in anyway by the Spring4Shell vulnerability? This includes all vendor/3rd party products and services such as VMWare, Microsoft Azure or other recently impacted systems and warnings.
https://www.itnews.com.au/news/vmware-sp...
“Depending on the application, exploitation may be possible by a remote attacker without requiring authentication.”
https://www.zdnet.com/article/spring4she...
"The Spring Framework is "the most widely used lightweight open-source framework for Java," Microsoft notes. The bug resides in the Java Development Kit (JDK) from version 9.0 and upwards if the system is also using Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions."
Yours faithfully,
Lesley
Thank you for your email to the National Disability Insurance Agency
(NDIA) Freedom of Information (FOI) team.
If your email relates to an FOI application made under the Commonwealth
Freedom of Information Act 1982 (FOI Act), the Agency will respond to you
as soon as practicable.
This email address is for applications under the FOI Act only. The Agency
is unable to respond to non-FOI related enquiries sent to this email
address. Any correspondence received that is not an information access
request will not be responded to or forwarded.
If you are seeking to access your personal documents, please consider
submitting your request through our [1]Participant Information Access
(PIA) web-form, which will allow the matter to be processed
administratively.
Should you have a query unrelated to FOI, please contact us by emailing at
[2][email address] or via webchat at [3]NDIA Web Chat (ndis.gov.au).
Alternatively you can also contact us by phoning 1800 800 110.
If you have any questions about making an FOI request, or to enquire about
a current FOI request, please email us with your phone number and a
preferred time for us to call you, and an FOI Decision Maker will call you
back.
Kind regards
Freedom of Information team
Parliamentary, Ministerial & FOI Branch
Government
National Disability Insurance Agency
Email: [4][NDIA request email]
**********************************************************************
IMPORTANT: This e-mail is for the use of the intended recipient only and
may contain information that is confidential, commercially valuable and/or
subject to legal or parliamentary privilege. If you are not the intended
recipient you are notified that any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in reliance upon,
this information is prohibited and may result in severe penalties. If you
have received this e-mail in error please notify the sender immediately
and delete all electronic and hard copies of this transmission together
with any attachments. Please consider the environment before printing this
e-mail
**********************************************************************
References
Visible links
1. https://aus01.safelinks.protection.outlo...
2. mailto:[email address]
3. https://aus01.safelinks.protection.outlo...
4. mailto:[NDIA request email]
Dear Lesley
Freedom of Information Request: Acknowledgement
Thank you for your request of 6 April 2022, made under the Freedom of
Information Act 1982 (FOI Act), for copies of documents held by the
National Disability Insurance Agency (NDIA).
Scope of your request
You have requested access to the following documents:
1. Please provide a copy of the NDIA's Spring4Shell cybersecurity threat
and vulnerability assessment.
2. Does the NDIA have any products, services or systems using the Spring
Framework (Java)?
3. Has the NDIA or the NDIA's data been impacted in anyway by the
Spring4Shell vulnerability? This includes all vendor/3rd party products
and services such as VMWare, Microsoft Azure or other recently impacted
systems and warnings.
Unless you advise otherwise, we will take it that you agree to the names
and contact details of NDIA staff being excluded from the scope of your
request (that is, the information will be treated as irrelevant).
Processing timeframes
A 30-day statutory period for processing your request commenced from 7
April 2022 in accordance with section 15(2A)(c) of the FOI Act. You
should, therefore, expect a decision from us by 6 May 2022.
This period may be extended if we need to consult with third parties or
for other reasons. We will advise you if this happens.
Charges
We may apply a processing charge to your request and will advise you as
soon as practicable if a charge is payable.
Disclosure Log
Information released under the FOI Act may be published on the NDIA’s
disclosure log located on our website, subject to certain exceptions.
If you have any concerns about the publication of information you have
requested, please contact us.
Further help
Please contact us at [1][NDIA request email] if you have any questions or need
help.
We will contact you using the email address you provided. Please advise if
you would prefer us to use an alternative means of contact.
Kind regards
Freedom of Information Officer
Parliamentary, Ministerial & FOI Branch
Government Division
National Disability Insurance Agency
E: [2][NDIA request email]
[3]cid:image001.png@01D81DD8.7204AC80
**********************************************************************
IMPORTANT: This e-mail is for the use of the intended recipient only and
may contain information that is confidential, commercially valuable and/or
subject to legal or parliamentary privilege. If you are not the intended
recipient you are notified that any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in reliance upon,
this information is prohibited and may result in severe penalties. If you
have received this e-mail in error please notify the sender immediately
and delete all electronic and hard copies of this transmission together
with any attachments. Please consider the environment before printing this
e-mail
**********************************************************************
References
Visible links
1. mailto:[NDIA request email]
2. mailto:[NDIA request email]
Dear Lesley
Thank you for your request for information.
Please find attached correspondence and documents in relation to your
request. If you require these in a different format, please let us know.
Please contact us at [1][NDIA request email] if you have any questions or
require help.
Thank you.
Kind regards
Freedom of Information Officer
Parliamentary, Ministerial and FOI Branch
Government Division
National Disability Insurance Agency
E: [2][NDIA request email]
[3]7BABD6DB
The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging.
**********************************************************************
IMPORTANT: This e-mail is for the use of the intended recipient only and
may contain information that is confidential, commercially valuable and/or
subject to legal or parliamentary privilege. If you are not the intended
recipient you are notified that any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in reliance upon,
this information is prohibited and may result in severe penalties. If you
have received this e-mail in error please notify the sender immediately
and delete all electronic and hard copies of this transmission together
with any attachments. Please consider the environment before printing this
e-mail
**********************************************************************
References
Visible links
1. mailto:[NDIA request email]
2. mailto:[NDIA request email]