[Looking for Charlie's main web site?]

Come learn about getting started with CF Docker images at CF Summit 2019

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Docker imageI'm terribly behind in announcing it, but I'm thrilled that I've been selected to speak again at Adobe CF Summit 2019, to be held in Vegas Oct 1 and 2 (with the pre-con on Sep 30). Both topics are on using Adobe's ColdFusion Docker images, and are designed for people who have not yet gotten into Docker at all, or for those familiar with Docker but not the Adobe CF images.

After sharing the talk titles and descriptions, first for the hour-long session and then for the day-long pre-conference session, I'll share a couple more thoughts, especially for those considering going to the conference, which I highly recommend.

[....Continue Reading....]

Updates released today for CF2018, CF2016, and CF11

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
While word has been shared elsewhere about this today already, I wanted to share here also that there were updates released today for CF2018, CF2016, and CF11.

And I share a bit more here, for my readers.

[....Continue Reading....]

CF updates temporarily missing. Get them here

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
If you've tried to get the update files for cf 2018, 2016, 11, or 10 in recent days, whether from the CF Admin "updates" page or the update technote pages, you've found the update jar files are missing and unavailable, due to a temporary problem. Here's how to get them in the meantime.

[....Continue Reading....]

CF security update (March 1 2019), part 2: further details, prevention, and more

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
This is my part 2 post which follows onto the Part 1, released the night of March 1, when the new CF updates were released as an emergency update. If you've not yet read that, do that first, to get some basic info and needed context for what follows.

And if you HAVE already read part 1, if it was before Saturday morning, do go back and reread it. I had added some important info that I thought shouldn't wait to Part 2, which I knew could take me a while. See especially the sections there, "A brief introduction to the vulnerability and the fix", "Should you be worried?", and "What if you can't apply the update immediately, and can't wait for part 2?".

And my apologies for the delay in getting part 2 out. For various reasons, including related to additional research work I'm doing on this exploit beyond CF, I was unable to post this then. Better late than never, I hope. Indeed, I had listed quite a lot in Part 1 that I hoped to cover in a part 2. I don't want to delay getting this out any later, so I will get done today what I can and post that, and carry over into a part 3 (or beyond) whatever remains. There are some natural breaks, fortunately. Thanks for your patience.

Following are what I cover here in Part 2:

  • More detail about the vulnerability and what was "fixed"
  • Wouldn't an antivirus package on the server detect this sort of trojan?
  • How to add further protection from it (especially if you may be unable to implement the update for some reason)
  • Considering running a security scan of your CFML code
  • Consider implementing a web application firewall
  • How to prevent execution of the files used in the attack, if they may already be on your server
  • Another benefit of applying the latest updates
  • What about Lucee?

[....Continue Reading....]

Urgent CF security update released March 1 2019, for CF11/2016/2018, Part 1

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
This is an urgent announcement to ColdFusion users: Adobe has released a security update today, March 1 2019, for CF 11 update 18, CF2016 update 10, and 2018 update 3.

All CF shops are urged to install this update immediately, to implement new protections against a known attack happening in the wild. It's identified in the associated Adobe Product Security Bulletin, APSB19-14, as a priority 1 critical vulnerability.

I will add that I can vouch personally for the significance of the vulnerability, as I reported it to the Adobe Product Security Incident Response Team (PSIRT), and I proposed the fix which was implemented. (I also know what was done specifically to perpetrate the attack, and the very negative consequences of what happened once the server of a client of mine was attacked. You don't want this to happen to you.) I plan to share much more in a part 2 post (now posted, but do see below for the context it builds upon).

(In the meantime, I have tweaked this part 1 since originally posting it, to share more here.)

[....Continue Reading....]

"Hidden Gems in ColdFusion 2018", a multi-part series on the Adobe Portal

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Over the past few weeks I have been begun posting a multi-part series of blog entries on Hidden Gems in CF2018. This is being posted on the Adobe CF portal, rather than here (by my choice).

It's basically presenting the same info I've been offering in my talk of the same name, such as at conferences like CF Summit and CFCamp last year, and that I will at the CF Summit East 2019 in DC in April. Of course, in blog form I can elaborate things a little more.

So far I have done the following parts:

[....Continue Reading....]

Top 10 CArehart.org blog posts of 2018

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Yep, I'm a bit late on this. :-) Here are what I might propose to be the top 10 posts of mine from 2018 (by my own choice, and in reverse chronological order):

[....Continue Reading....]

I'll be speaking at Adobe CF Summit East in DC, Apr 9-10

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
I should have posted this a few weeks ago, but I'm delighted to announce that I'll be presenting again this year at Adobe's ColdFusion Summit East in Washington, DC on Apr 9-10, 2019.

As in recent years, this event (presented by Adobe in conjunction with Carahsoft) presents something of a "best of" from talks given at the CF Summit in Vegas this past October. April's a great time to visit DC (where I was born and raised, and lived my first 40 years).

And I'll be offering my Hidden Gems in CF2018 talk I have there (and at CFCamp also in Nov), with some improvements since then of course.

See you there, I hope!

Considering use of Amazon Corretto, the new openjdk jvm, especially with ColdFusion

Note: This blog post is from 2018. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
As I posted earlier today, there are big changes afoot in the Java world, about production (not just "commercial") use of Java going forward. This is big news, as it is for anyone using Java 8 or 11 for production purposes.

But here's some good news: Amazon has recently released a new free JVM (java virtual machine) implementation based on the OpenJDK specification, called Corretto. In this post, I want to share some news about it. (Off the bat, let me tell my friends on any Linux flavor other than Amazon Linux 2, this is not yet available to you. For now it is only available for Amazon Linux 2 as well as Windows, MacOS, and as a docker image. Other Linux flavors are due in Q1 2019.)

For much more, read on.

Update in Jan 2019: This is no longer an option for CF folks to consider, as Adobe announced both that they have licensed Oracle Java for production use by those using CF, and they clarified that they will NOT be adding support for any OpenJDK implementations. I will leave this post and the rest, for non-CF users and for posterity.

[....Continue Reading....]

What's an admin to do: Oracle's changed stance on production use of Java, going forward?

Note: This blog post is from 2018. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Did you know that Oracle announced in 2018 major changes regarding free production use of Java 8 and 11?
  • Regarding Java 8, did you know that Oracle will no longer offer free updates/security patches for Java 8, if used for production (NOT just "commercial") purposes beyond Jan 2019? After that, you must pay them for support/updates (including security updates). For more on why this is NOT just about "commercial" use, see below.)
  • Regarding Java 11, the next major release, did you know that the Oracle Java 11 JVM cannot be USED at ALL for PRODUCTION purposes, without paying for it?
  • Finally, while Oracle will be offering a free openJDK implementation (which CAN be used for production, for free), did you know they will only be committing to supporting/updating their Oracle Java 11 openjdk for 6 months after release, leaving subsequent updates to the community of contributors?

For more, including why this may have significant impact on your use of Java-based applications, as well as alternatives that may exist for you going forward, read on.

[....Continue Reading....]

More Entries

Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting