Modernize or Die® - CFML News for January 11th, 2022 - Episode 130

2022-01-11 Weekly News - Episode 130Watch the video version on YouTube at https://youtu.be/BkIKAlDLFkQ Hosts: Gavin Pickin - Senior Software Developer for Ortus SolutionsEric Peterson  - Senior Software Developer for Ortus SolutionsThanks to our Sponsor - Ortus SolutionsThe makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there. A few ways  to say thanks back to Ortus Solutions:Like and subscribe to our videos on YouTube. Subscribe to our Podcast on your Podcast Apps and leave us a reviewSign up for a free or paid account on CFCasts, which is releasing new content every weekBuy Ortus’s Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)Patreon SupportWe have 37 patreons providing 97% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions.News and EventsUpcoming Ortus Webinar - cbwire + Alpine.js with Grant CopleyJanuary 28, 2022 - 11:00 AM CT - Central Time (US and Canada)In this webinar, Grant, lead developer for cbwire, will showcase how to build modern, reactive CFML apps easily using very little JavaScript.Register today: https://www.ortussolutions.com/events/webinars Log4j UpdatesLog4j-2.17.1 patch released. CommandBox images updates with the latest log4j patched jarsAdobe updated have an updated technote: https://helpx.adobe.com/coldfusion/kb/log4j-2-17-0-vulnerability-coldfusion.html Other libraries like Spreadsheet-CFML have updated as well.Note: ​Log4j2 Support in lucee 5.3 is coming along for 5.3.9‘Elephant Beetle’ Lurks for Months in NetworksThe group blends into an environment before loading up trivial, thickly stacked, fraudulent financial transactions too tiny to be noticed but adding up to millions of dollars.This beetle adores Java. The group is “highly proficient” with Java-based attacks and often targets legacy Java apps running on Linux machines – primarily, the Java-based web servers WebSphere and WebLogic – as a means of initial entry to a target environment, the researchers explained. Beyond that, Elephant Beetle even deploys its own, complete Java web application to do the gang’s bidding on compromised machines that are, meanwhile, chugging along, running legitimate apps.https://threatpost.com/elephant-beetle-months-networks-financial/177393/?fbclid=IwAR0ytUYx0IOxiNXIUE1jHvqDV0ltP_hBf7XCdEyLEYHfSaKadwf01xPkHLI Adobe WorkshopsMore Adobe #ColdFusion Workshops announced, lead by Damien Bruyndonckx2 dates announced:February 2, 20229.00 AM - 4.30 PM CET1.30 PM - 9.00 PM ISTMarch 09, 20229.00 AM - 4.30 PM CET1.30 PM - 9.00 PM ISThttps://cf-workshop.meetus.adobeevents.com/ AngularJS EOL’ed 12/31/2021As AngularJS is faced with an uncertain future, many teams are searching for answers to the current hot topic: if you are using AngularJS, do you continue to maintain your AngularJS applications or do you migrate your applications to another framework? This is not an easy (or cheap) question to answer.In this article, we’ll go over some of the reasons why you should consider migrating your AngularJS applications, and some ideas on how to plan and budget for a successful migration.https://www.thisdot.co/blog/why-you-should-consider-migrating-from-angularjs-to-vue CFCasts Content Updateshttps://www.cfcasts.com Just ReleasedInto the Box 2021 are now all FREE - https://cfcasts.com/series/into-the-box-2021Coming soonInto the Box LATAMSend your suggestions at https://cfcasts.com/supportConferences and TrainingVueJS Nation ConferenceOnline Live EventJanuary 26th & 27th 2022Register for Freehttps://vuejsnation.com/ More conferencesNeed more conferences, this site has a huge list of conferences for almost any language/community.https://confs.tech/Blogs, Tweets and Videos of the WeekTweet - Adam Cameron - TIL something new about CFOUTPUTI cannot go into details of why this is a good find, but I was unaware that one can pass an encoding algorithm name like `<cfoutput encodefor="html">` (and a bunch of others) which will automatically escape the values in `#expression#`. Didn't know that.https://cfdocs.org/cfoutputhttps://twitter.com/adam_cameron/status/1480624980668915716https://twitter.com/adam_cameronTweet - James Moberg - Microsoft taking log4j stuff seriously.While performing some #coldfusion unit testing to identify #log4j exploit attempts (that my WAF may miss), I had to obfuscate the test strings or @msftsecurity would instantly quarantine & report the script. It's good to see that Microsoft is taking this seriously. #cfmlhttps://twitter.com/gamesover/status/1476347523245694984https://twitter.com/gamesoverBlog - James Moberg - Log4j Exploit Pattern Detection Using ColdFusion/CFMLHere are my initial attempts at trying to detect Log4j exploit attempts that may make it past our WAF/service provider protections. While our WAF stopped requests from Trend Micro's Log4j Tester, obfuscated requests made it through. At time of testing, Azure wasn't blocking requests. I had to be a little careful with the script as Windows kept instantly quarantining the CFM files and prevented ColdFusion from executing the template.2021-12-29: Updated rules based on Google Cloud article to additionally block rmi, ldaps & dns (in addition to stripping whitespace.)https://dev.to/gamesover/log4j-exploit-pattern-detection-using-coldfusioncfml-4l17 Tweet - Zac Spitzer - Show some love for the VS Code CFML ExtensionAwesome to see some activity on the vscode-cfml extension, a new minor release coming soon. If you use it, please show some love and star the repo https://github.com/KamasamaK/vscode-cfml #lucee #coldfusion #cfmlhttps://twitter.com/zackster/status/1476206001384828929https://twitter.com/zacksterBlog - Ben Nadel - Building An API Client With The fet...