Hello, welcome to the Friday, September 2, 2020 edition of the Sands and at Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Yesterday I talked about Apache, patching a vulnerability in Geode. I noted how this deserlerization vulnerability CVE 2020-37021

only affects Geode if Java 8 is used and if the data is being delivered via JMX.

JMX, that's the Java management extension,

is a standard API that allows you to monitor and manage services.

It is an important vulnerability,

but overall I didn't consider it urgent,

given that these are not services that are typically exposed.

But when looking at my honeypot logs today, I noticed some new scans that started showing up

around the time the geot vulnerability started to become known.

The requests used a URL typically for Jolokia, and I hope I'm pronouncing this correctly,

an HTTP to JMX Gateway. I believe it is plausible that some attempts to find hosts exposing

GMX via this interface are being conducted here.

Interestingly, these requests do not use HTTP, only HTTP port 80 and 8080.

At this point only one particular IP address is sourcing these scans, an unremarkable

IP address assigned to a Kolo provider.

I've not really seen any direct exploit attempts,

and the honeypot that detects these attempts did not really attempt to impersonate any of these applications.

So if this is just a scan, sort of build a target list or such,

of course I wouldn't necessarily see the follow-up scans, then, or attacks. So no exploit

attempts in so far, not clear if they're actually going after the Gio'd vulnerability, but the

...