Sign up to save your podcasts
Or
Share Modernize or Die® - CFML News for December 28th, 2021 - Episode 129
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Modernize or Die® - CFML News for December 28th, 2021 - Episode 129
2021-12-28 Weekly News - Episode 129
Watch the video version on YouTube at https://youtu.be/xQ44rxXK_Z0
Hosts:
Gavin Pickin - Senior Software Developer for Ortus Solutions
Daniel Garcia - Senior Software Developer for Ortus Solutions
Thanks to our Sponsor - Ortus Solutions
The makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there.
A few ways to say thanks back to Ortus Solutions:
- Like and subscribe to our videos on YouTube.
- Subscribe to our Podcast on your Podcast Apps and leave us a review
- Sign up for a free or paid account on CFCasts, which is releasing new content every week
- Buy Ortus’s Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)
Patreon Support
We have 37 patreons providing 97% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions.
News and Events
Log4j Vulnerability Updates
Ortus has updated the Adobe CF engines on ForgeBox for CommandBox users to include the latest security patches released from Adobe the same day Adobe released them.
2021.0.3+329779
2018.0.13+329786
Please update any CommandBox servers immediately to use these new, secure versions of ACF. #CFML #ColdFusion
Tweet from Brad
Apache announced today that the formatMsgNoLookups JVM arg is no longer considered sufficient to mitigate a vuln ver of Log4j. https://logging.apache.org/log4j/2.x/security.html Their advice (and Adobe's) is to completely remove the JndiLookup class file from the log4j-core jar or update to 2.16. #CFML
New Blog Posts
Adobe Updates Releases
We are pleased to announce that we have released the updates for the following ColdFusion versions:
- ColdFusion (2021 release) Update 3
- ColdFusion (2018 release) Update 13
- ColdFusion 2021 Performance Monitoring Toolset Update 3
- ColdFusion 2018 Performance Monitoring Toolset Update 4
- ColdFusion API Manager updates
https://coldfusion.adobe.com/2021/12/update-coldfusion-security-updates-log4j-vulnerability/
If you have applied the #ColdFusion updates from Fri, Dec 17, Adobe now says it's ok to copy in the log4j 2.17 jars, and they even offer just what you need. This is NOT the way to mitigate INSTEAD of doing the updates.
https://helpx.adobe.com/coldfusion/kb/log4j-2-16-vulnerability-coldfusion.html
Previous Blog Posts
Adobe’s update on the matter (thanks charlie for pointing this out)
Blog - https://coldfusion.adobe.com/2021/12/update-log4j-vulnerability/
Update - https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html
Lucee is not affected
https://dev.lucee.org/t/lucee-is-not-affected-by-the-log4j-jndi-exploit-cve-2021-44228/9331
Charlie’s Blog on the matter
https://www.carehart.org/blog/2021/12/14/about_the_log4jshell_pandemic
https://coldfusion.adobe.com/2021/12/dealing-recent-log4j-vulnerability-adobe-releases-update/
More news links about Log4j
https://www.zdnet.com/article/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability/
Adobe Workshops
More Adobe #ColdFusion Workshops announced, lead by Damien Bruyndonckx (Brew-en-dohnx)
2 dates announced:
February 2, 2022
9.00 AM - 4.30 PM CET
1.30 PM - 9.00 PM IST
March 09, 2022
9.00 AM - 4.30 PM CET
1.30 PM - 9.00 PM IST
https://cf-workshop.meetus.adobeevents.com/
ICYMI - CBSecurity V2.15.0 released
🚀 Added
Pass custom claims from refreshToken( token, customClaims) method when refreshing tokens
Pass in the current jwt payload in to getJWTCustomClaims( payload )
The auto refresh token features now will auto refresh not only on expired tokens, but on invalid and missing tokens as well. Thanks to @elpete
🐛 Fixed
Timeout in token storage is now the token timeout
https://www.forgebox.io/view/cbsecurity
ICYMI - Spreadsheet-CFML 3.2.3 released with log4j-2.17.0
Spreadsheet-CFML 3.2.3 released with log4j-2.17.0 Seems none of these updates are strictly necessary as POI doesn't use the "core" jar, but putting them out as a precaution. #cfml
https://www.forgebox.io/view/spreadsheet-cfml
CFCasts Content Updates
https://www.cfcasts.com
Just Released
- Modernize Or Die Podcast SoapBox Edition with Luis Majano
- ColdBox Anniversary Edition with Jon Clausen
- Ortus Single Video Series
- CSS Animation Using Transform
Coming soon
- Into the Box LATAM
Send your suggestions at https://cfcasts.com/support
Conferences and Training
VueJS Nation Conference
Online Live Event
January 26th & 27th 2022
Register for Free
Call for Speakers is open until Dec 31 2021
https://vuejsnation.com/
More conferences
Need more conferences, this site has a huge list of conferences for almost any language/community.
https://confs.tech/
Blogs, Tweets and Videos of the Week
Tweet - James Moberg -Log4j Detection Library
Apart from updating the Log4j library, I haven't seen any #ColdFusion detection libraries yet. Here's my first attempt at detecting & blocking exploit attempts.
https://dev.to/gamesover/log4j-exploit-pattern-detection-using-coldfusioncfml-4l17 #cfml
https://twitter.com/gamesover/status/1473418402840838144
https://twitter.com/gamesover
Tweet - Brad Wood - Fusion Reactor transaction names for non coldbox apps
For non-ColdBox apps that route multiple pages through a "front controller" like index.cfm, I've published a demo showing how to customize the transaction name @Fusion_Reactor reports for each page using the FRAPI SDK
https://github.com/bdw429s/FRAPI-transaction-name-demo
#CFML #ColdFusion
Blog - Adobe - UPDATE: ColdFusion security updates for Log4j vulnerability
We are pleased to announce that we have rel...
View all episodes
By Ortus Solutions
5
77 ratings
2021-12-28 Weekly News - Episode 129
Watch the video version on YouTube at https://youtu.be/xQ44rxXK_Z0
Hosts:
Gavin Pickin - Senior Software Developer for Ortus Solutions
Daniel Garcia - Senior Software Developer for Ortus Solutions
Thanks to our Sponsor - Ortus Solutions
The makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there.
A few ways to say thanks back to Ortus Solutions:
- Like and subscribe to our videos on YouTube.
- Subscribe to our Podcast on your Podcast Apps and leave us a review
- Sign up for a free or paid account on CFCasts, which is releasing new content every week
- Buy Ortus’s Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)
Patreon Support
We have 37 patreons providing 97% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions.
News and Events
Log4j Vulnerability Updates
Ortus has updated the Adobe CF engines on ForgeBox for CommandBox users to include the latest security patches released from Adobe the same day Adobe released them.
2021.0.3+329779
2018.0.13+329786
Please update any CommandBox servers immediately to use these new, secure versions of ACF. #CFML #ColdFusion
Tweet from Brad
Apache announced today that the formatMsgNoLookups JVM arg is no longer considered sufficient to mitigate a vuln ver of Log4j. https://logging.apache.org/log4j/2.x/security.html Their advice (and Adobe's) is to completely remove the JndiLookup class file from the log4j-core jar or update to 2.16. #CFML
New Blog Posts
Adobe Updates Releases
We are pleased to announce that we have released the updates for the following ColdFusion versions:
- ColdFusion (2021 release) Update 3
- ColdFusion (2018 release) Update 13
- ColdFusion 2021 Performance Monitoring Toolset Update 3
- ColdFusion 2018 Performance Monitoring Toolset Update 4
- ColdFusion API Manager updates
https://coldfusion.adobe.com/2021/12/update-coldfusion-security-updates-log4j-vulnerability/
If you have applied the #ColdFusion updates from Fri, Dec 17, Adobe now says it's ok to copy in the log4j 2.17 jars, and they even offer just what you need. This is NOT the way to mitigate INSTEAD of doing the updates.
https://helpx.adobe.com/coldfusion/kb/log4j-2-16-vulnerability-coldfusion.html
Previous Blog Posts
Adobe’s update on the matter (thanks charlie for pointing this out)
Blog - https://coldfusion.adobe.com/2021/12/update-log4j-vulnerability/
Update - https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html
Lucee is not affected
https://dev.lucee.org/t/lucee-is-not-affected-by-the-log4j-jndi-exploit-cve-2021-44228/9331
Charlie’s Blog on the matter
https://www.carehart.org/blog/2021/12/14/about_the_log4jshell_pandemic
https://coldfusion.adobe.com/2021/12/dealing-recent-log4j-vulnerability-adobe-releases-update/
More news links about Log4j
https://www.zdnet.com/article/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability/
Adobe Workshops
More Adobe #ColdFusion Workshops announced, lead by Damien Bruyndonckx (Brew-en-dohnx)
2 dates announced:
February 2, 2022
9.00 AM - 4.30 PM CET
1.30 PM - 9.00 PM IST
March 09, 2022
9.00 AM - 4.30 PM CET
1.30 PM - 9.00 PM IST
https://cf-workshop.meetus.adobeevents.com/
ICYMI - CBSecurity V2.15.0 released
🚀 Added
Pass custom claims from refreshToken( token, customClaims) method when refreshing tokens
Pass in the current jwt payload in to getJWTCustomClaims( payload )
The auto refresh token features now will auto refresh not only on expired tokens, but on invalid and missing tokens as well. Thanks to @elpete
🐛 Fixed
Timeout in token storage is now the token timeout
https://www.forgebox.io/view/cbsecurity
ICYMI - Spreadsheet-CFML 3.2.3 released with log4j-2.17.0
Spreadsheet-CFML 3.2.3 released with log4j-2.17.0 Seems none of these updates are strictly necessary as POI doesn't use the "core" jar, but putting them out as a precaution. #cfml
https://www.forgebox.io/view/spreadsheet-cfml
CFCasts Content Updates
https://www.cfcasts.com
Just Released
- Modernize Or Die Podcast SoapBox Edition with Luis Majano
- ColdBox Anniversary Edition with Jon Clausen
- Ortus Single Video Series
- CSS Animation Using Transform
Coming soon
- Into the Box LATAM
Send your suggestions at https://cfcasts.com/support
Conferences and Training
VueJS Nation Conference
Online Live Event
January 26th & 27th 2022
Register for Free
Call for Speakers is open until Dec 31 2021
https://vuejsnation.com/
More conferences
Need more conferences, this site has a huge list of conferences for almost any language/community.
https://confs.tech/
Blogs, Tweets and Videos of the Week
Tweet - James Moberg -Log4j Detection Library
Apart from updating the Log4j library, I haven't seen any #ColdFusion detection libraries yet. Here's my first attempt at detecting & blocking exploit attempts.
https://dev.to/gamesover/log4j-exploit-pattern-detection-using-coldfusioncfml-4l17 #cfml
https://twitter.com/gamesover/status/1473418402840838144
https://twitter.com/gamesover
Tweet - Brad Wood - Fusion Reactor transaction names for non coldbox apps
For non-ColdBox apps that route multiple pages through a "front controller" like index.cfm, I've published a demo showing how to customize the transaction name @Fusion_Reactor reports for each page using the FRAPI SDK
https://github.com/bdw429s/FRAPI-transaction-name-demo
#CFML #ColdFusion
Blog - Adobe - UPDATE: ColdFusion security updates for Log4j vulnerability
We are pleased to announce that we have rel...