Jump to content

Question About "CVE-2017-5638.Struts2"

Recommended Posts

Hi all.

This is my first post on this forum.

We are using ESET Management Center to manage our ESET software.

We have an on-premise mail server running Exchange 2016 on Windows Server 2012 R2.

On this server we have ESET File Security (ver 7.0.12018.0). 

The EMC dashboard is showing the following information regarding our Exchange server:

Threat name: (blank)
Rule name: CVE-2017-5638.Struts2
Rule ID: (blank)
Occurred: (several different dates/times here, spanning the last 2 months)
Event: Security vulnerability exploitation
Source address: <-- this is a different IP for each of the several events showing on the dashboard
Source port: 51436
Target address: (our internal server IP address)
Target port: 443
Protocol: TCP
Inbound: Yes
Process name: System
Account: (blank)
Count: 1

This appears to be related to Apache, but I don't see Apache in the list of installed programs on the server.

My questions are as follows:

1) is this "Security vulnerability exploitation" alert cause for concern?

2) I noticed however that Java is in the list of installed programs via Windows Control Panel. Does anyone here know if I can safely uninstall this?  Based on what I've been reading, it doesn't appear to be a prerequisite to run Microsoft Exchange 2016.  I don't want to cripple the server by removing it, if it's needed in some way.

Thanks in advance!

Share this post

Link to post
Share on other sites

1, The malicious communication was blocked so it's of no concern. You can block the remote IP address on a firewall to prevent future exploitation attempts. However, even if the communication was not blocked, it wouldn't pose any risk as long as you don't have a vulnerable version of Struts installed.

2, If you don't use Java intentionally, I'd rename its executables and observe if no issues occur in the next few days or weeks. If it turns out that some application requires Java, you can rename the files back. Otherwise you could uninstall it completely.

Share this post

Link to post
Share on other sites

Ok thank you for your help with this.

You can go ahead and close this question/topic if you'd like.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...