Modernize or Die® - CFML News for December 14th, 2021 - Episode 128

Gavin hosts this weeks episode with a brand new host Dan Card who introduced himself. They talked about the big news in the CFML World, the Log4j java library with a zero day vulnerability. They discussed last weeks big conferences INTO THE BOX LATAM and CF Summit and how to see the videos. They also reminded you about Advent of Code which started Dec 1st. They also discussed Ortus Redis Cache Extension V2.0.0. They discuss the latest CFCasts content, and some upcoming conferences. They spotlight a lot of great blog posts, tweets, videos and podcasts, too many to list, so listen to the show. They announce some jobs from getCfmlJobs.com They show off the ForgeBox module of the Week - CommandBox - without CommandBox ForgeBox wouldn't be anywhere near as awesome, but it does so much more. This week's VS Code Tip of the week is Yaml, a Redhat extension for all of your Yaml needs. They thanked all their Patreons - they talked a little information about perks for their Patreon supporters, and a new option, Annual Memberships with a discount. For the show notes - visit the website https://cfmlnews.modernizeordie.io/episodes/modernize-or-die-cfml-news-for-december-14th-2021-episode-128 Music from this podcast used under Royalty Free license from SoundDotCom https://www.soundotcom.com/ and BlueTreeAudio https://bluetreeaudio.com

2021-12-14 Weekly News - Episode 128

Watch the video version on YouTube at https://youtu.be/_GrDec5PVwg

Hosts:
 
Gavin Pickin - Senior Developer for Ortus Solutions
Dan Card  - Software Developer for Ortus Solutions


Thanks to our Sponsor - Ortus Solutions

The makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there. 
A few ways  to say thanks back to Ortus Solutions:
  • Like and subscribe to our videos on YouTube. 
  • Subscribe to our Podcast on your Podcast Apps and leave us a review
  • Sign up for a free or paid account on CFCasts, which is releasing new content every week
  • Buy Ortus’s new Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)

Patreon Support

We have 37 patreons providing 97% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions.



News and Events

New Host - Dan Card

Dan introduces himself and gives a quick run down of his CFML experience.


Log4j Vulnerability Reported

There is a critical security vulnerability (CVE-2021-44228 aka Log4Shell) in the java library log4j which is a popular logging library for java applications. It is included in both Adobe ColdFusion and Lucee for example.
Putting together some info to help sort this issue out as it pertains to ColdFusion and Lucee users. I'll update this entry as needed.
https://www.petefreitag.com/item/923.cfm

Adobe’s update on the matter (thanks charlie for pointing this out)
Blog - https://coldfusion.adobe.com/2021/12/update-log4j-vulnerability/
Update - https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html

TLDR for Adobe
There is a critical security vulnerability (CVE-2021-44228) in the Log4j, which is a popular logging library for Java-based applications. The vulnerability also impacts Adobe ColdFusion.
Adobe is investigating any potential impact and is taking action including updating affected systems to the latest versions of Apache Log4j recommended by the Apache Software Foundation.
ColdFusion plans to release a patch (version(s) 2021, 2018) for this log4j vulnerability to customers on 12/17/2021. VERY FAST FOR ADOBE - THEY DONT MOVE FAST USUALLY
In the meantime, we recommend that ColdFusion users apply the following workarounds/mitigations steps, until this patch is released.

Lucee is not affected https://dev.lucee.org/t/lucee-is-not-affected-by-the-log4j-jndi-exploit-cve-2021-44228/9331

Charlie’s Blog on the matter
https://www.carehart.org/blog/2021/12/14/about_the_log4jshell_pandemic
https://coldfusion.adobe.com/2021/12/dealing-recent-log4j-vulnerability-adobe-releases-update/

More news links about Log4j
https://www.zdnet.com/article/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability/


New CommandBox Feature

Add the equivalent of the mod_cfml tomcat valve into CommandBox as an Undertow handler to auto-create contexts based on the front-end servers's virtual hosts.
Support the same request headers and behavior of mod_cfml
Ideally, this should have drop-in support behind BonCode IIS or Apache's mod_cfml module
Support max contexts setting
Make this new behavior off (opt-in) by default
Support and require shared key for security (Note, the current mod_cfml Tomcat valve does not require the shared key, but we will)
https://ortussolutions.atlassian.net/browse/COMMANDBOX-1411


CBSecurity V2.15.0 released

🚀 Added
Pass custom claims from refreshToken( token, customClaims) method when refreshing tokens
Pass in the current jwt payload in to getJWTCustomClaims( payload )
The auto refresh token features now will auto refresh not only on expired tokens, but on invalid and missing tokens as well. Thanks to @elpete
🐛 Fixed
Timeout in token storage is now the token timeout
https://www.forgebox.io/view/cbsecurity


TestBox v.4.5.0 released

Added
  • Migration to github actions
  • TESTBOX-332 toBe{Type} is incomplete
  • TESTBOX-329 Full Null support
6 Bug fixes as well

Also updates to VSCode extension

Luis been updating the TestBox VSCode extension
Luis has rewritten it and added tons of new features
You can now run your tests inside of vscode
The full harness, a bundle, or a single spec depending on your cursor in the code
Basically this https://marketplace.visualstudio.com/items?itemName=CoachRichbart.better-jest  but for TestBox
Luis has all of it working with CommandBox right now but it’s dog slow
So Luis is building a native http runner from within vscode
https://testbox.ortusbooks.com/intro/release-history/whats-new-with-4.5.0



Vue Mastery - FREE Courses Dec 17-20th

Vue Mastery @VueMastery
We're unlocking ALL of our courses
On Dec. 17-20, you'll be able to watch any and all of our courses on our site for free.
Have you signed up yet? Reserve your spot so you get notified when we unlock our courses
https://twitter.com/vuemastery/status/1470524002829582339?


ICYMI - Advent of Code starts Dec 1st

Advent of Code is an Advent calendar of small programming puzzles for a variety of skill sets and skill levels that can be solved in any programming language you like. People use them as a speed contest, interview prep, company training, university coursework, practice problems, or to challenge each other.
You don't need a computer science background to participate - just a little programming knowledge and some problem solving skills will get you pretty far. Nor do you need a fancy computer; every problem has a solution that completes in at most 15 seconds on ten-year-old hardware.
https://adventofcode.com/


ICYMI - Ortus Redis Cache Extension V2.0.0

11 new features, 1 improvement and 3 bug fixes.
Major enhancements focus on Pub Sub capabilities, Docker support, and Cluster Protocol support for RedisCluster, Sentinel, AWS and DigitalOcean.
https://www.forgebox.io/view/5C558CC6-1E67-4776-96A60F9726D580F1/version/2.0.0-snapshot





CFCasts Content Updates

https://www.cfcasts.com

Just Released

Coming soon
  • Into the Box LATAM
Send your suggestions at https://cfcasts.com/support



Conferences and Training

ICYMI - ITB Latam 2021

December 2-3, 2021
Into the Box LATAM is back and better than ever! Our virtual conference will include speakers from El Salvador and all over the world, who'll present on the latest web and mobile technologies in Latin America.
Registration is completely free so don't miss out!
ITB Latam Schedule Posted
https://latam.intothebox.org/


ICYMI - Adobe ColdFusion Summit 2021

December 7th and 8th - Virtual
Register for Free - https://cfsummit.vconfex.com/site/adobe-cold-fusion-summit-2021/1290
Blog - https://coldfusion.adobe.com/2021/09/adobe-coldfusion-summit-2021-registrations-open/

ALL RECORDINGS CURRENTLY AVAILABLE ON VCONFEX VIA AGENDA
They are re-rendering them all and uploading the full MP4 quality videos to our YouTube channel, which will be linked from coldfusion.adobe.com

It would be nice to highlight the registration figures, over 8600 registrations.
I think Kishore is still running the numbers on participation, but I think we had really great percentages on participation.
First public introduction to the new PM, Aditya Nema.

Obviously some awesome talks across the board, both from old stalwarts like Charlie and Pete to new faces, especially in track 2, which featured either cf-adjacent or other tech cf folks might be interested in.

Even with hiccups in the platform, I've received nothing but great feedback about the talks themselves from the folks that attended.


ICYMI - Nginx APAX Sprint 2.1

December 7-8th, 2021
https://www.nginx.com/events/nginx-sprint-apac-2021


ICYMI jConf.dev

Now a free virtual event
December 9th starting at 8:30 am CDT/2:30 pm UTC.
https://2021.jconf.dev/?mc_cid=b62adc151d&mc_eid=8293d6fdb0


VueJS Nation Conference

Online Live Event
January 26th & 27th 2022
Register for Free
Call for Speakers is open until Dec 31 2021
https://vuejsnation.com/


More conferences

Need more conferences, this site has a huge list of conferences for almost any language/community.
https://confs.tech/



Blogs, Tweets and Videos of the Week

Blog - Charlie Arehart - About the log4jshell pandemic, and what CF folks can do about it
You can find lots of info in the CF and IT worlds about the log4jshell "pandemic", since the news broke late Dec 9. If you have not found those yet, here's a post I did on the Adobe CF portal yesterday with my thoughts (and a "mask" to consider", especially while we await a formal update ("the shot") from Adobe:
Dealing with the recent log4j vulnerability, before Adobe releases an update.
Minutes after I posted this, I saw word that Adobe has offered a new informational resource (still not a fix), on their site. (Now back to what I had written originally.)
https://www.carehart.org/blog/2021/12/14/about_the_log4jshell_pandemic


Blog - Charlie Arehart - Dealing with the recent log4j vulnerability, before Adobe releases an update
I provide here resources with suggestions of what to do about the log4jshell vulnerability, while we await an update from Adobe. And I share the current JVM arg being proposed as “the solution” to mitigate the vuln (-Dlog4j2.formatMsgNoLookups=true). Finally, I offer a bit of opinion on how things have gone so far.
https://coldfusion.adobe.com/2021/12/dealing-recent-log4j-vulnerability-adobe-releases-update/


Blog - Adobe - Mark Takata - Update on Log4J Vulnerability
As most of you are aware, the Log4J (aka “Log4Shell”) vulnerability is currently the hot topic of discussion amongst… well, basically everyone.
Adobe engineering & security have been hard at work determining which versions of ColdFusion might be affected and what, if any, workaround/mitigation steps are available.
Please head over here: Log4j vulnerability on ColdFusion (adobe.com) and bookmark the page, as it will be updated if/as things change. This article contains information related to ColdFusion 2021, ColdFusion 2018 as well as ColdFusion 2016. There are also sections concerning the Performance Monitoring Toolset for 2021/2018 and API Manager.
https://coldfusion.adobe.com/2021/12/update-log4j-vulnerability/


Webpage - Adobe - Log4j vulnerability on ColdFusion
There is a critical security vulnerability (CVE-2021-44228) in the Log4j, which is a popular logging library for Java-based applications. The vulnerability also impacts Adobe ColdFusion.
Adobe is investigating any potential impact and is taking action including updating affected systems to the latest versions of Apache Log4j recommended by the Apache Software Foundation.
ColdFusion plans to release a patch (version(s) 2021, 2018) for this log4j vulnerability to customers on 12/17/2021.
In the meantime, we recommend that ColdFusion users apply the following workarounds/mitigations steps, until this patch is released.
https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html


Blog - Charlie Arehart - Viewing the ColdFusion Summit 2021 recordings
The Adobe ColdFusion Summit 2021 happened last week (Dec 7-8), and while for now the recordings are not yet available on the “videos” page here on the portal, you can find them if you visit the conference site.
https://coldfusion.adobe.com/2021/12/viewing-coldfusion-summit-2021-recordings/


Tweet - Brad Wood - Log 4j
CommandBox users can immediately protect any CF servers from the new Log4j vuln by setting this config setting and restarting any running servers:
config set server.defaults.jvm.args='-Dlog4j2.formatMsgNoLookups=true'
https://twitter.com/bdw429s/status/1470504989479079942
https://twitter.com/bdw429s


Tweet - Brad Wood - Log 4j - Task Runner
I whipped up a quick CommandBox Task Runner that will use that project to scan an entire folder of jars for you (and download what it needs first to perform the scan)
https://gist.github.com/bdw429s/f55595d1a413d68a9c792eeced365e4a


Tweet - Brad Wood - CF Engines ignoring duplicate HTTP Request Headers
Never realized this before- Adobe & Lucee ignore duplicate HTTP request headers.  If your client provides two headers of the same name (even with diff values) only the first will be available in CFML. You've got to use the servlet classes directly to get both. #CFML #ColdFusion
https://twitter.com/bdw429s/status/1469030271383220234
https://twitter.com/bdw429s


Blog - Ben Nadel - Recording Datadog / StatsD Gauges For Database Key Utilization In Lucee CFML 5.3.7.47
As a fast-follow to yesterday's post on using information_schema to inspect primary and secondary index key utilization in MySQL and Lucee CFML, I wanted to demonstrate how to then take that utilization information and persist it to a StatsD consumer, like Datadog, such that monitoring and alerting can then be applied. Unfortunately, this code isn't even live yet, so I don't have a graph to showcase. But, I thought it would be worth sharing, regardless.
https://www.bennadel.com/blog/4166-recording-datadog-statsd-gauges-for-database-key-utilization-in-lucee-cfml-5-3-7-47.htm


Blog - Ben Nadel - Inspecting Primary And Secondary Index Key Utilization For MySQL 5.7.32 In Lucee CFML 5.3.7.47
The day before Thanksgiving, I was paged at 3:30AM because one of our API end-points suddenly starting failing on all requests. A quick look at the errors logs revealed one of my long-time worst nightmares: a column in our MySQL database had run out of "INT space". It was an old column and was accidentally defined as INT when it should have been defined as INT UNSIGNED. We fixed the issue by migrating the data-type on the column. But, in order to sleep at night, I need to know that this won't happen again. So, I've started to look at how I can introspect the MySQL database schema in order to see—and eventually measure—how much wiggle-room I have left in my Primary and Secondary indices.
https://www.bennadel.com/blog/4165-inspecting-primary-and-secondary-index-key-utilization-for-mysql-5-7-32-in-lucee-cfml-5-3-7-47.htm



CFML Jobs

Several positions available on https://www.getcfmljobs.com/
Listing over 248 ColdFusion positions from 107 companies across 129 locations in 5 Countries.

7 new jobs listed

Full-Time - ColdFusion Developer | 4 to 6 years | Pune at Pune, Maharash.. - India
Dec 12
https://www.getcfmljobs.com/jobs/index.cfm/india/ColdFusion-Developer-4-to-6-years-Pune-at-Pune-Maharashtra/11396

Full-Time - Coldfusion Developer at Connecticut - United States
Dec 10
https://www.getcfmljobs.com/jobs/index.cfm/united-states/Coldfusion-Developer-at-Connecticut/11395

Full-Time - Coldfusion Developer at Connecticut - United States
Dec 08
https://www.getcfmljobs.com/jobs/index.cfm/united-states/Coldfusion-Developer-at-Connecticut/11394

Full-Time - ColdFusion Developer at Richmond, VA - United States
Dec 08
https://www.getcfmljobs.com/jobs/index.cfm/united-states/ColdFusion-Developer-at-Richmond-VA/11393

Full-Time - Senior Coldfusion Developer (RQ02208) at Toronto, ON - Canada
Dec 03
https://www.getcfmljobs.com/jobs/index.cfm/canada/Senior-Coldfusion-Developer-RQ02208-at-Toronto-ON/11392

Full-Time - Senior ColdFusion Engineer at Remote - United States
Dec 01
https://www.getcfmljobs.com/jobs/index.cfm/united-states/Senior-ColdFusion-Engineer-at-Remote/11390

Full-Time - Senior ColdFusion Engineer at Fort Washington, PA - United States
Dec 01
https://www.getcfmljobs.com/jobs/index.cfm/united-states/Senior-ColdFusion-Engineer-at-Fort-Washington-PA/11391



ForgeBox Module of the Week

CommandBox

CommandBox is a standalone, native tool for Windows, Mac, and Linux that will provide you with a Command Line Interface (CLI) for developer productivity, tool interaction, package management, embedded CFML server, application scaffolding, and sweet ASCII art. It seamlessly integrates to work with any of Ortus Solutions *Box products, but it is also open for extensibility for any ColdFusion (CFML) project as it is written in ColdFusion (CFML) using our concepts of CommandBox Commands.
https://commandbox.ortusbooks.com/
Installation - https://commandbox.ortusbooks.com/setup/installation


VS Code Hint Tips and Tricks of the Week

YAML

By Red Hat

Provides comprehensive YAML Language support to Visual Studio Code, via the yaml-language-server, with built-in Kubernetes syntax support.

https://marketplace.visualstudio.com/items?itemName=redhat.vscode-yaml



Thank you to all of our Patreon Supporters

These individuals are personally supporting our open source initiatives to ensure the great toolings like CommandBox, ForgeBox, ColdBox,  ContentBox, TestBox and all the other boxes keep getting the continuous development they need, and funds the cloud infrastructure at our community relies on like ForgeBox for our Package Management with CommandBox. 

You can support us on Patreon here https://www.patreon.com/ortussolutions

Now offering Annual Memberships, pay for the year and save 10% - great for businesses.

  • Bronze Packages and up, now get a ForgeBox Pro and CFCasts subscriptions as a perk for their Patreon Subscription.
  • All Patreon supporters have a Profile badge on the Community Website
  • All Patreon supporters have their own Private Forum access on the Community Website

Patreons

  • John Wilson - Synaptrix 
  • Eric Hoffman
  • Gary Knight
  • Mario Rodrigues
  • Giancarlo Gomez
  • David Belanger
  • Jonathan Perret
  • Jeffry McGee - Sunstar Media
  • Dean Maunder
  • Joseph Lamoree
  • Don Bellamy
  • Jan Jannek
  • Laksma Tirtohadi
  • Carl Von Stetten
  • Dan Card
  • Jeremy Adams
  • Jordan Clark
  • Matthew Clemente
  • Daniel Garcia
  • Scott Steinbeck - Agri Tracking Systems
  • Ben Nadel
  • Mingo Hagen
  • Brett DeLine
  • Kai Koenig
  • Charlie Arehart
  • Jonas Eriksson
  • Jason Daiger
  • Jeff McClain
  • Shawn Oden
  • Matthew Darby
  • Ross Phillips
  • Edgardo Cabezas
  • Patrick Flynn
  • Stephany Monge
  • Kevin Wright
  • Steven Klotz

You can see an up to date list of all sponsors on Ortus Solutions' Website
https://ortussolutions.com/about-us/sponsors


★ Support this podcast on Patreon ★

Switch to Modernize or Die ® Podcast - SoapBox Edition - Switch to Modernize or Die ® Podcast - Conference Edition

Powered by

Music from this podcast used under Royalty Free license from SoundDotCom and BlueTreeAudio

© 2019 Ortus Solutions