Resolve HSTS vulnerability CVEs on IIS10

IIS Error 500 – Don’t let a vulnerability cause downtime with your SCOM web console


This article will help resolve security HSTS vulnerability CVEs on IIS10.  The steps apply to Windows Server 2016+, to help resolve multiple vulnerabilities, including CVE-2023-23915 CVE-2023-23914 CVE-2017-7789.   There are a few ways to configure IIS, and the blog post will show how to set up HTTP response, and HTTP redirect for the SCOM web console role’d server(s).


Setting HSTS on IIS10 to resolve with Server2016 1609

Open PowerShell window as Admin
cd c:\windows\winsxs
gci wow64_microsoft-windows-iis-shared* | ft Name

Example aim for latest directory
NOTE bottom entry based on software versioning

Example output
PS C:\windows\winsxs> gci wow64_microsoft-windows-iis-shared* | ft Name


# AppCMD lines
.\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.enabled:True” /commit:apphost
.\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.max-age:31536000” /commit:apphost
.\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.includeSubDomains:True” /commit:apphost
.\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.redirectHttpToHttps:True” /commit:apphost



For Server2016 1709 and greater

To add the HSTS Header, follow the steps below:

Open IIS manager.
Select your site.
Open HTTP Response Headers option.
Click on Add in the Actions section.
In the Add Custom HTTP Response Header dialog, add the following values:
Name: Strict-Transport-Security
Value: max-age=31536000; includeSubDomains; preload
Or directly in web.config as below under system.webServer:

<add name=”Strict-Transport-Security” value=”max-age=31536000; includeSubDomains; preload” />

NOTE iisreset may be required to restart IIS and apply settings



Verify HTTP Response Headers

From IIS10 (IIS Manager) > click on ‘Default Web Site’ > HTTP Response Headers

Verify Strict-Transport-Security blurb matches

HSTS IIS10 HTTP Response Headers screenshot verifying settings applied



Set HTTP Redirect

Now to set the HTTP redirect, to prevent denial of service (DoS) attacks.

From IIS10 (IIS Manager) > Expand ‘Default Web Site’ > HTTP Redirect


Default Web Site HTTP Redirect to SCOM web console URL



From IIS10 (IIS Manager) > Expand ‘Default Web Site’ > go through each Application to set HTTP redirect


Set HSTS HTTP Redirect on other web applications
Set HSTS HTTP Redirect on other web applications


Test your web console URL to verify components




NIST CVE-2023-23915 CVE-2023-23914

Mitre CVE-2017-7789

Blog link


ACAS scan for Java vulns PlugIn ID’s 170161,166316

Java vulnerabilities on your SCOM servers


If you’re responsible for security compliance with SCOM servers, there will be times when applications need to be upgraded.   Current effort is Java vulnerabilities on your SCOM servers, current examples are plugIn ID’s  170161,166316.  Compliance and Security are big deals, even in air-gapped networks.   Why – even if external hacking risk is low, the security tools will cause administrative headaches when scanning weekly or more often.  The scans can also be intrusive in nature, causing even more problems.   For the Java vulnerabilities, when running some 3rd party tools, like Cisco UCS monitoring,  Java is installed for the application to run.   Java is like OS updates, comes up with periodic vulnerabilities popping up on your favorite security scanner software/tool (like Nessus/ACAS/Tenable+).



Oracle Java vulnerability detail links ID 170161, ID 166316

ACAS Java vulnerabilities
ACAS Java vulnerabilities


These specific vulnerabilities, the tool is looking for paths for Java 1.8.0+.   Even after upgrading Java, the vulnerabilities still showed, requesting debug output, it showed two paths on C: (64 and 32bit paths).


Plugin Output:

Path              : C:\Program Files (x86)\Java\jre1.8.0_341\

Installed version : 1.8.0_341 / build 8.0.341

Fixed version     : Upgrade to version 8.0.361 or greater


Path              : C:\Program Files\Java\jre1.8.0_341\

Installed version : 1.8.0_341 / build 8.0.341

Fixed version     : Upgrade to version 8.0.361 or greater


In my case, the upgrade completed, but did not remove the old version 1.8.0_341 (vulnerable version)!


PS C:\Program Files\java> gci

Directory: C:\Program Files\java

Mode                LastWriteTime         Length Name

—-                ————-         —— —-

da—-        7/28/2022   6:27 AM                jre1.8.0_341

da—-        3/15/2023   6:12 PM                jre1.8.0_361



Verify Java version on affected server(s)

Verify install – whether you check from Windows Explorer for the C: drive path, or from Control Panel > Programs and Features > Installed

Java application from Programs and Features
Java application from Programs and Features


NOTE multiple Java versions show installed on the server.   For resolving the vulnerability, you’ll need to download latest update from Oracle here, install, and then remove the old versions (see that the 32 and 64 bit versions were installed)


From PowerShell as admin, go to the path where you saved the Java exe

Java installer splash screen
Java installer splash screen


Click Close once Java installed

Java install completed
Java install completed


Additional validation step

From Event Viewer, Application Event Log, look for MsiInstaller events to validate Java install successful

Windows Application Event Log, looking for MSIInstaller events to validate Java install successful
Windows Application Event Log, looking for MSIInstaller events to validate Java install successful


For me, knowing that Cisco UCS application used java, I wanted to verify the alerts in SCOM, as well as the service restarted without issue.


Cisco UCS Service from services.msc
Cisco UCS Service from services.msc


Happy trails, being compliant and secure!