Hello, welcome to the Tuesday, February 15th, 2020 edition of the Sandcent, and at Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

A quick reminder today from our honeypots that if you ever see some of these backslash x16 sequences in your weblog, it's probably

just someone trying to use TLS to connect to a web server that doesn't support TLS.

Seeing this all the time, in particular, of course, these days with TLS being sort of the default,

a lot of bots and such that are connecting

to web servers, are also using TLS by default, and that's all this is about.

So not necessarily an attack and maybe just someone using the wrong tool or legitimately

trying to connect to your web server

that may not be configured correctly.

But talking about real attacks against web applications, turns out there is a new vulnerability

in Magento 2, the Adobe e-commerce platform,

and that vulnerability, which was patched on Sunday,

is already publicly being exploited.

So Adobe did release the patch.

You are warable if you are running anything before Magento 3.7p2 or 243P1. So the 2.3 and 2.44 branches are vulnerable.

The vulnerability does lead to unauthenticated remote code execution, so it's about as bad as it comes.

Sadly, the patch is a little bit tricky to implement.

It arrives as a zip file and a patch file that you sort of have to manually apply.

And if you look at the patch that was published, it does insert two new code segments

that will replace a particular pattern that consists of two nested scurly brackets. So

that's basically what the vulnerability is all about. According to Sandsk, you could

theoretically look for sort of this squarely pattern here in a web application firewall, but

...