Jump to content

Question About "CVE-2017-5638.Struts2"

Recommended Posts

Hi all.

This is my first post on this forum.

We are using ESET Management Center to manage our ESET software.

We have an on-premise mail server running Exchange 2016 on Windows Server 2012 R2.

On this server we have ESET File Security (ver 7.0.12018.0). 

The EMC dashboard is showing the following information regarding our Exchange server:

Threat name: (blank)
Rule name: CVE-2017-5638.Struts2
Rule ID: (blank)
Occurred: (several different dates/times here, spanning the last 2 months)
Event: Security vulnerability exploitation
Source address: <-- this is a different IP for each of the several events showing on the dashboard
Source port: 51436
Target address: (our internal server IP address)
Target port: 443
Protocol: TCP
Inbound: Yes
Process name: System
Account: (blank)
Count: 1

This appears to be related to Apache, but I don't see Apache in the list of installed programs on the server.

My questions are as follows:

1) is this "Security vulnerability exploitation" alert cause for concern?

2) I noticed however that Java is in the list of installed programs via Windows Control Panel. Does anyone here know if I can safely uninstall this?  Based on what I've been reading, it doesn't appear to be a prerequisite to run Microsoft Exchange 2016.  I don't want to cripple the server by removing it, if it's needed in some way.

Thanks in advance!

Link to comment
Share on other sites

  • Administrators

1, The malicious communication was blocked so it's of no concern. You can block the remote IP address on a firewall to prevent future exploitation attempts. However, even if the communication was not blocked, it wouldn't pose any risk as long as you don't have a vulnerable version of Struts installed.

2, If you don't use Java intentionally, I'd rename its executables and observe if no issues occur in the next few days or weeks. If it turns out that some application requires Java, you can rename the files back. Otherwise you could uninstall it completely.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...