Modernize or Die® - CFML News for December 28th, 2021 - Episode 129

Gavin Pickin and Daniel Garcia hosts the last CFML News Podcast of the year. They talked about the big news in the CFML World, the Log4j java library with a zero day vulnerability... and all of the developments and updates released since then. They discuss the latest CFCasts content, and some upcoming conferences. They spotlight a lot of great blog posts, tweets, videos and podcasts, too many to list, so listen to the show. They announce some jobs from getCfmlJobs.com They show off the ForgeBox module of the Week - commandbox-cflint - This is a CommandBox module for linting your CFML code using CFLint. CFLint Version: 1.4.1 This week's VS Code Tip of the week is Code Time - Code Time is an open source plugin for automatic programming metrics and time tracking in Visual Studio Code. Join our community of over 200,000 developers who use Code Time to reclaim time for focused, uninterrupted coding. Protect valuable code time and stay in flow. They thanked all their Patreons - they talked a little information about perks for their Patreon supporters, and a new option, Annual Memberships with a discount. For the show notes - visit the website https://cfmlnews.modernizeordie.io/episodes/modernize-or-die-cfml-news-for-december-28th-2021-episode-129 Music from this podcast used under Royalty Free license from SoundDotCom https://www.soundotcom.com/ and BlueTreeAudio https://bluetreeaudio.com

2021-12-28 Weekly News - Episode 129

Watch the video version on YouTube at https://youtu.be/xQ44rxXK_Z0

Hosts:
Gavin Pickin - Senior Software Developer for Ortus Solutions
Daniel Garcia  - Senior Software Developer for Ortus Solutions


Thanks to our Sponsor - Ortus Solutions

The makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there. 

A few ways  to say thanks back to Ortus Solutions:
  • Like and subscribe to our videos on YouTube. 
  • Subscribe to our Podcast on your Podcast Apps and leave us a review
  • Sign up for a free or paid account on CFCasts, which is releasing new content every week
  • Buy Ortus’s Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)


Patreon Support

We have 37 patreons providing 97% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions.



News and Events



Log4j Vulnerability Updates

Ortus has updated the Adobe CF engines on ForgeBox for CommandBox users to include the latest security patches released from Adobe the same day Adobe released them.
2021.0.3+329779
2018.0.13+329786
Please update any CommandBox servers immediately to use these new, secure versions of ACF. #CFML #ColdFusion

Tweet from Brad
Apache announced today that the formatMsgNoLookups JVM arg is no longer considered sufficient to mitigate a vuln ver of Log4j.  https://logging.apache.org/log4j/2.x/security.html Their advice (and Adobe's) is to completely remove the JndiLookup class file from the log4j-core jar or update to 2.16. #CFML


New Blog Posts

Adobe Updates Releases
We are pleased to announce that we have released the updates for the following ColdFusion versions:
  • ColdFusion (2021 release) Update 3
  • ColdFusion (2018 release) Update 13
  • ColdFusion 2021 Performance Monitoring Toolset Update 3
  • ColdFusion 2018 Performance Monitoring Toolset Update 4
  • ColdFusion API Manager updates

https://coldfusion.adobe.com/2021/12/update-coldfusion-security-updates-log4j-vulnerability/

If you have applied the #ColdFusion updates from Fri, Dec 17, Adobe now says it's ok to copy in the log4j 2.17 jars, and they even offer just what you need. This is NOT the way to mitigate INSTEAD of doing the updates.
https://helpx.adobe.com/coldfusion/kb/log4j-2-16-vulnerability-coldfusion.html

Previous Blog Posts

Adobe’s update on the matter (thanks charlie for pointing this out)
Blog - https://coldfusion.adobe.com/2021/12/update-log4j-vulnerability/
Update - https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html

Lucee is not affected
https://dev.lucee.org/t/lucee-is-not-affected-by-the-log4j-jndi-exploit-cve-2021-44228/9331

Charlie’s Blog on the matter
https://www.carehart.org/blog/2021/12/14/about_the_log4jshell_pandemic
https://coldfusion.adobe.com/2021/12/dealing-recent-log4j-vulnerability-adobe-releases-update/

More news links about Log4j
https://www.zdnet.com/article/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability/



Adobe Workshops

More Adobe #ColdFusion Workshops announced, lead by Damien Bruyndonckx (Brew-en-dohnx)
2 dates announced:

February 2, 2022
9.00 AM - 4.30 PM CET
1.30 PM - 9.00 PM IST

March 09, 2022
9.00 AM - 4.30 PM CET
1.30 PM - 9.00 PM IST
https://cf-workshop.meetus.adobeevents.com/


ICYMI - CBSecurity V2.15.0 released
🚀 Added
Pass custom claims from refreshToken( token, customClaims) method when refreshing tokens
Pass in the current jwt payload in to getJWTCustomClaims( payload )
The auto refresh token features now will auto refresh not only on expired tokens, but on invalid and missing tokens as well. Thanks to @elpete
🐛 Fixed
Timeout in token storage is now the token timeout
https://www.forgebox.io/view/cbsecurity


ICYMI - Spreadsheet-CFML 3.2.3 released with log4j-2.17.0
Spreadsheet-CFML 3.2.3 released with log4j-2.17.0 Seems none of these updates are strictly necessary as POI doesn't use the "core" jar, but putting them out as a precaution. #cfml

https://www.forgebox.io/view/spreadsheet-cfml



CFCasts Content Updates

https://www.cfcasts.com 

Just Released
  • Modernize Or Die Podcast SoapBox Edition with Luis Majano
    • ColdBox Anniversary Edition with Jon Clausen
  • Ortus Single Video Series
    • CSS Animation Using Transform

Coming soon
  • Into the Box LATAM

Send your suggestions at https://cfcasts.com/support




Conferences and Training


VueJS Nation Conference
Online Live Event
January 26th & 27th 2022
Register for Free
Call for Speakers is open until Dec 31 2021
https://vuejsnation.com/

More conferences
Need more conferences, this site has a huge list of conferences for almost any language/community.
https://confs.tech/




Blogs, Tweets and Videos of the Week


Tweet - James Moberg -Log4j Detection Library
Apart from updating the Log4j library, I haven't seen any #ColdFusion detection libraries yet. Here's my first attempt at detecting & blocking exploit attempts.
https://dev.to/gamesover/log4j-exploit-pattern-detection-using-coldfusioncfml-4l17 #cfml
https://twitter.com/gamesover/status/1473418402840838144
https://twitter.com/gamesover


Tweet - Brad Wood - Fusion Reactor transaction names for non coldbox apps
For non-ColdBox apps that route multiple pages through a "front controller" like index.cfm, I've published a demo showing how to customize the transaction name @Fusion_Reactor reports for each page using the FRAPI SDK
https://github.com/bdw429s/FRAPI-transaction-name-demo
#CFML #ColdFusion


Blog - Adobe - UPDATE: ColdFusion security updates for Log4j vulnerability
We are pleased to announce that we have released the updates for the following ColdFusion versions:
https://coldfusion.adobe.com/2021/12/update-coldfusion-security-updates-log4j-vulnerability/


Blog - Fusion Reactor - Log4j CVE-2021-44228 and CVE-2021-45046 Log4 Shell vulnerability Important information for ColdFusion, Lucee, and Java users
The FusionReactor agent does not depend on or utilize Log4j, so is not susceptible to this vulnerability. In order to protect you and your clients, you must ensure that any other framework, library, or component you are using is updated.
https://www.fusion-reactor.com/blog/log4j-vulnerability-important-information-for-coldfusion-lucee-and-java-users/


Podcast - Ben Nadel - Working Code Podcast - Episode 54: We're So Quacked!
At 3:30 AM the day before Thanksgiving, I received an emergency page about a failing API end-point. Rushing to my desk, groggy-eyed and in various states of undress, I jumped into the #incident channel on Slack to see what was happening. What unfolded over the next 30-hours was the manifestation of my worst nightmare. The moment I had been dreading for the last 4-years had finally come to pass: two of my database columns had run out of storage space! Using feature flags, emergency hot-fixes, shadow tables, and a database migration being performed over a transient and unstable terminal session, my and my team somehow made it through to the other side just in time to enjoy Thanksgiving turkey and pumpkin pie!
https://www.bennadel.com/blog/4171-working-code-podcast-episode-54-were-so-quacked.htm



CFML Jobs

Several positions available on https://www.getcfmljobs.com/
Listing over 248 ColdFusion positions from 107 companies across 129 locations in 5 Countries.

3 new jobs listed

Full-Time - Senior Coldfusion Developer |LATAM| at Colon, PA - United States
Posted Dec 19
https://www.getcfmljobs.com/jobs/index.cfm/united-states/Senior-Coldfusion-Developer-LATAM-at-Colon-PA/11400

Full-Time - ColdFusion Developer at United States - United States
Posted Dec 16
https://www.getcfmljobs.com/jobs/index.cfm/united-states/ColdFusion-Developer-at-United-States/11399

Full-Time - Senior Coldfusion Developer at Chennai, Tamil Nadu - India
Posted Dec 16
https://www.getcfmljobs.com/jobs/index.cfm/india/Senior-Coldfusion-Develope-at-Chennai-Tamil-Nadu/11398



ForgeBox Module of the Week

commandbox-cflint

by Jason Steinshouer

This is a CommandBox module for linting your CFML code using CFLint. - CFLint Version: 1.4.1
Coding Standards - https://github.com/Ortus-Solutions/coding-standards

https://www.forgebox.io/view/commandbox-cflint





VS Code Hint Tips and Tricks of the Week

Code Time

Code Time is an open source plugin for automatic programming metrics and time tracking in Visual Studio Code. Join our community of over 200,000 developers who use Code Time to reclaim time for focused, uninterrupted coding. Protect valuable code time and stay in flow.

Automatic Flow Mode detects when you're in flow and automatically silences distractions and prevents interruptions. Learn more about how to enable or disable it.

https://marketplace.visualstudio.com/items?itemName=softwaredotcom.swdc-vscode 


Thank you to all of our Patreon Supporters

These individuals are personally supporting our open source initiatives to ensure the great toolings like CommandBox, ForgeBox, ColdBox,  ContentBox, TestBox and all the other boxes keep getting the continuous development they need, and funds the cloud infrastructure at our community relies on like ForgeBox for our Package Management with CommandBox.

You can support us on Patreon here https://www.patreon.com/ortussolutions

Now offering Annual Memberships, pay for the year and save 10% - great for businesses.
  • Bronze Packages and up, now get a ForgeBox Pro and CFCasts subscriptions as a perk for their Patreon Subscription.
  • All Patreon supporters have a Profile badge on the Community Website
  • All Patreon supporters have their own Private Forum access on the Community Website
  • John Wilson - Synaptrix 
  • Eric Hoffman
  • Gary Knight
  • Mario Rodrigues
  • Giancarlo Gomez
  • David Belanger
  • Jonathan Perret
  • Jeffry McGee - Sunstar Media
  • Dean Maunder
  • Joseph Lamoree
  • Don Bellamy
  • Jan Jannek
  • Laksma Tirtohadi
  • Carl Von Stetten
  • Dan Card
  • Jeremy Adams
  • Jordan Clark
  • Matthew Clemente
  • Daniel Garcia
  • Scott Steinbeck - Agri Tracking Systems
  • Ben Nadel
  • Mingo Hagen
  • Brett DeLine
  • Kai Koenig
  • Charlie Arehart
  • Jonas Eriksson
  • Jason Daiger
  • Jeff McClain
  • Shawn Oden
  • Matthew Darby
  • Ross Phillips
  • Edgardo Cabezas
  • Patrick Flynn
  • Stephany Monge
  • Kevin Wright
  • Steven Klotz

You can see an up to date list of all sponsors on Ortus Solutions' Website
https://ortussolutions.com/about-us/sponsors


★ Support this podcast on Patreon ★

Switch to Modernize or Die ® Podcast - SoapBox Edition - Switch to Modernize or Die ® Podcast - Conference Edition

Powered by

Music from this podcast used under Royalty Free license from SoundDotCom and BlueTreeAudio

© 2019 Ortus Solutions