2024-12-31 Weekly News — Episode 226

Watch the video version on YouTube at https://youtube.com/live/BUIfVQV0bhs?feature=share

Hosts:

• Gavin Pickin - Senior Developer at Ortus Solutions
• Daniel Garcia - Senior Developer at Ortus Solutions

Big Thanks to our Sponsor - Ortus Solutions
The makers of ColdBox, CommandBox, ForgeBox, TestBox and all your favorite box-es out there including BoxLang.
A few ways to say thanks back to Ortus Solutions:

• Buy Tickets to Into the Box 2025 in Washington DC https://t.co/cFLDUJZEyM
• April 30, 2025 - May 2, 2025 - Washington, DC
• Like and subscribe to our videos on YouTube.
• Help ORTUS reach for the Stars - Star and Fork our Repos
• Star all of your Github Box Dependencies from CommandBox with https://www.forgebox.io/view/commandbox-github
• Subscribe to our Podcast on your Podcast Apps and leave us a review
• Sign up for a free or paid account on CFCasts, which is releasing new content regularly
• BOXLife store: https://www.ortussolutions.com/about-us/shop
• Buy Ortus’s Books
• 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)
• Now on Amazon! In hardcover too!!!
• https://www.amazon.com/dp/B0CJHB712M
• Learn Modern ColdFusion (CFML) in 100+ Minutes - Free online https://modern-cfml.ortusbooks.com/ or buy an EBook or Paper copy https://www.ortussolutions.com/learn/books/coldfusion-in-100-minutes

Patreon Support (holly)
We have 61 patreons:
https://www.patreon.com/ortussolutions.

News and Announcements

Tomcat Vulnerability
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.
https://www.cve.org/CVERecord?id=CVE-2024-56337

How to resolve with Lucee: https://dev.lucee.org/t/cvs-exploit-of-tomcat-9-10-11/14590

End of 2024 - what did it bring it

What is 2025 bringing?

New Releases and Updates

Adobe Security Updates released December 23rd, 2024 - ColdFusion 2023 Update 12 and 2021 Update 18
We have released critical security updates for ColdFusion (2023 release) and ColdFusion (2021 release).
Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read.
View the security bulletin, APSB24-107, and the tech notes for more information.
https://coldfusion.adobe.com/2024/12/released-coldfusion-2023-and-2021-december-23rd-2024-security-updates/

An Initial Analysis of Adobe ColdFusion CVE-2024-53961 - from Hoyahaxa
Adobe released APSB24-107 today, which addresses one vulnerability in ColdFusion tracked as CVE-2024-53961 and described as a path traversal that could lead to file retrieval. Based on a quick review of the corresponding patches, it appears to be a security enhancement that improves protection (and possibly remediates bypasses) against the attack vectors first addressed in APSB24-14 / CVE-2024-20767 back in March.
https://www.hoyahaxa.com/2024/12/an-initial-analysis-of-cve-2024-53961.html

Blog from Charlie on the updates: https://www.carehart.org/blog/2024/12/23/ColdFusion_updates_released_Dec_23_2024

Webinars, Meetups and Workshops

ICYMI - Sac Interactive Meetup: All I Want for Christmas is AI with Luke Kilpatrick
Wed, Dec 18 · 6:00 PM PST
https://www.meetup.com/sacinteractive/events/303708503/?eventOrigin=home_page_upcoming_events$all

Sac Interactive Meetup: January with Kai Koenig

CFCasts Content Updates

https://www.cfcasts.com

Merry Xmas - All of the Into the Box 2024 videos are now available for paid subscriptions

https://www.cfcasts.com/series/into-the-box-2024

Conferences and Training

ITB 2025

• Location: Washington, DC
• Dates: April 30, 2025 - May 2, 2025 - Washington, DC
• Tickets and more info: https://t.co/cFLDUJZEyM
• 50% off blind tickets
  • $249.50 for the Conference
  • $349.50 for the Conference + Workshop!!!
• Call for Speakers CLOSED

CFCamp 2025
May 22, 23rd - 2025
Atomis Hotel Munich Airport
https://www.cfcamp.org/
Call for Speakers open - https://www.papercall.io/cfcamp2025
Closes February 28, 2025 ( 4am PST )

More conferences
Need more conferences, this site has a huge list of conferences for almost any language/community.
https://confs.tech/

Blogs, Posts, and Videos of the Week

12/29/24 - Blog - Ben Nadel - My Internal InVision Feature Demo Videos
Although InVision is shutting its doors, it's been an amazing journey; and, I've done a lot of work that I'm incredibly proud of. In particular, I feel great about the way in which I embraced experimentation with both arms; and, that I tried throwing as many features against the wall to see which would stick. Some of my experiments ended up being a "nothing burger". But, some of them went on to become highly valuable parts of the application and the user experience (UX). The whole process made me somewhat fearless in the face of opposition; and, taught me to love my failures just as much as my successes.