Hello, welcome to the Wednesday, July 6th, 2016 edition of the Sansanet StormSanus Stormcast.

My name is Johannes Ulrich and I'm recording from Jackson, Florida.

If you're using Apache with the HTTP 2 module enabled, you may want to check out the patch that was released today. It fixes a serious problem if you're

also relying on SSL certificates for authentication. This will only affect you if you are doing

two things at the same time, using HTTP2 and using client certificates to authenticate

your users for these HTTP2 connections.

Apparently Apache in recent versions didn't validate the ASL certificate correctly in those

cases, allowing essentially anybody to log in

site.

This issue only shows up in versions of Apache 2.418 and later, and only again if you

do have these two conditions fulfilled. The HAP2 module is not enabled by default.

And if you are not sure what HAP2 versions you're actually using in your network,

I posted a little T-Shark script that you can use to check for HEP connections.

If you are supporting HDP2, you should expect that all recent browsers will use HTTP2 if they're connecting to a web server via HTTP.

And yesterday I mentioned the exploit that was released against the ThinkPad UEFI vulnerability and

I mentioned that other systems may be affected as well.

Well, we got at least two more now.

Some HP systems are affected according to an update published by the original author as well as some

Gigabyte motherboards. So this is probably just sort of the tip of the iceberg

here and I expect more of them to be released shortly. I'm going to link to the author's

Twitter feed very typically posts updates like that and has links to updates

in his exploit GitHub website. And over the last couple years, several countries did investigate

...