Modernize or Die® - CFML News for December 28th, 2021 - Episode 129

2021-12-28 Weekly News - Episode 129Watch the video version on YouTube at https://youtu.be/xQ44rxXK_Z0 Hosts: Gavin Pickin - Senior Software Developer for Ortus SolutionsDaniel Garcia  - Senior Software Developer for Ortus SolutionsThanks to our Sponsor - Ortus SolutionsThe makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there. A few ways  to say thanks back to Ortus Solutions:Like and subscribe to our videos on YouTube. Subscribe to our Podcast on your Podcast Apps and leave us a reviewSign up for a free or paid account on CFCasts, which is releasing new content every weekBuy Ortus’s Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)Patreon SupportWe have 37 patreons providing 97% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions. News and EventsLog4j Vulnerability UpdatesOrtus has updated the Adobe CF engines on ForgeBox for CommandBox users to include the latest security patches released from Adobe the same day Adobe released them.2021.0.3+3297792018.0.13+329786Please update any CommandBox servers immediately to use these new, secure versions of ACF. #CFML #ColdFusionTweet from BradApache announced today that the formatMsgNoLookups JVM arg is no longer considered sufficient to mitigate a vuln ver of Log4j.  https://logging.apache.org/log4j/2.x/security.html Their advice (and Adobe's) is to completely remove the JndiLookup class file from the log4j-core jar or update to 2.16. #CFMLNew Blog PostsAdobe Updates ReleasesWe are pleased to announce that we have released the updates for the following ColdFusion versions:ColdFusion (2021 release) Update 3ColdFusion (2018 release) Update 13ColdFusion 2021 Performance Monitoring Toolset Update 3ColdFusion 2018 Performance Monitoring Toolset Update 4ColdFusion API Manager updateshttps://coldfusion.adobe.com/2021/12/update-coldfusion-security-updates-log4j-vulnerability/ If you have applied the #ColdFusion updates from Fri, Dec 17, Adobe now says it's ok to copy in the log4j 2.17 jars, and they even offer just what you need. This is NOT the way to mitigate INSTEAD of doing the updates.https://helpx.adobe.com/coldfusion/kb/log4j-2-16-vulnerability-coldfusion.htmlPrevious Blog PostsAdobe’s update on the matter (thanks charlie for pointing this out)Blog - https://coldfusion.adobe.com/2021/12/update-log4j-vulnerability/ Update - https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html Lucee is not affected https://dev.lucee.org/t/lucee-is-not-affected-by-the-log4j-jndi-exploit-cve-2021-44228/9331 Charlie’s Blog on the matter https://www.carehart.org/blog/2021/12/14/about_the_log4jshell_pandemic https://coldfusion.adobe.com/2021/12/dealing-recent-log4j-vulnerability-adobe-releases-update/ More news links about Log4j https://www.zdnet.com/article/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability/Adobe WorkshopsMore Adobe #ColdFusion Workshops announced, lead by Damien Bruyndonckx (Brew-en-dohnx)2 dates announced:February 2, 20229.00 AM - 4.30 PM CET1.30 PM - 9.00 PM ISTMarch 09, 20229.00 AM - 4.30 PM CET1.30 PM - 9.00 PM ISThttps://cf-workshop.meetus.adobeevents.com/ ICYMI - CBSecurity V2.15.0 released🚀 AddedPass custom claims from refreshToken( token, customClaims) method when refreshing tokensPass in the current jwt payload in to getJWTCustomClaims( payload )The auto refresh token features now will auto refresh not only on expired tokens, but on invalid and missing tokens as well. Thanks to @elpete🐛 FixedTimeout in token storage is now the token timeouthttps://www.forgebox.io/view/cbsecurity ICYMI - Spreadsheet-CFML 3.2.3 released with log4j-2.17.0Spreadsheet-CFML 3.2.3 released with log4j-2.17.0 Seems none of these updates are strictly necessary as POI doesn't use the "core" jar, but putting them out as a precaution. #cfmlhttps://www.forgebox.io/view/spreadsheet-cfmlCFCasts Content Updateshttps://www.cfcasts.com Just ReleasedModernize Or Die Podcast SoapBox Edition with Luis MajanoColdBox Anniversary Edition with Jon ClausenOrtus Single Video SeriesCSS Animation Using TransformComing soonInto the Box LATAMSend your suggestions at https://cfcasts.com/supportConferences and TrainingVueJS Nation ConferenceOnline Live EventJanuary 26th & 27th 2022Register for FreeCall for Speakers is open until Dec 31 2021https://vuejsnation.com/ More conferencesNeed more conferences, this site has a huge list of conferences for almost any language/community.https://confs.tech/Blogs, Tweets and Videos of the WeekTweet - James Moberg -Log4j Detection Library Apart from updating the Log4j library, I haven't seen any #ColdFusion detection libraries yet. Here's my first attempt at detecting & blocking exploit attempts.https://dev.to/gamesover/log4j-exploit-pattern-detection-using-coldfusioncfml-4l17 #cfmlhttps://twitter.com/gamesover/status/1473418402840838144https://twitter.com/gamesoverTweet - Brad Wood - Fusion Reactor transaction names for non coldbox appsFor non-ColdBox apps that route multiple pages through a "front controller" like index.cfm, I've published a demo showing how to customize the transaction name @Fusion_Reactor reports for each page using the FRAPI SDKhttps://github.com/bdw429s/FRAPI-transaction-name-demo #CFML #ColdFusionBlog - Adobe - UPDATE: ColdFusion security updates for Log4j vulnerabilityWe are pleased to announce that we have rel...