Hello, welcome to the Tuesday, August 18th, 2020 edition of the Santernut Storm Center's Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

In case you had some issues connecting to the Internet Storm Center website this morning for change wasn't a problem with our web servers, but appears that the

Cisco Talas blocklist had our URL listed as malicious. This must have resolved sort of early

afternoon, so after that everything should have been cleared up.

Not clear why the URL made it onto this block list, but apparently some piece of malware

or so reached out to the internet storm center website.

I was looking on VarysTorl and found one piece of malware that just had a URL listed within its code,

but didn't actually connect to it.

This can be a technique to actually do force URLs like the Net Storm Centers onto Blocklist,

and yep, that may have been just what happened. And thanks, of course,

to everybody who reached out to us as well as to Cisco for having this resolved reasonably

quickly. In late last week, Apache released an update for Struts 2 that you should probably take serious.

There are two vulnerabilities that are of interest that are being patched here.

Now, the one that I'm most concerned about is CVE 2019-0-230.

This is a forced double- object graph navigation language evaluation vulnerability

or OGNL, short for object, graph navigation language. The problem with this vulnerability

is that it may in some circumstances lead to remote code execution. Part of the problem here is struts,

but part of the problem is also how people use struts. According to the guidance given by

struts, developers should avoid using raw expression language and they should use struts

tags instead. So whether or not you're vulnerable or whether this problem is exploitable

for your struts application really depends on the code that you are running, which makes

a little bit tricky to sort of figure out how severe

...