This will be my sixth year in a row presenting at this wonderful event, and my seventh year total. It will also be my 10th presentation there. Half of those talks have been "sponsor" presentations on behalf of Intergral, the makers of FusionReactor, while the rest were not.
And despite the title, "Comparing Monitoring Solutions for CF and Lucee", my talk this year is not an FR-sponsored talk. See the description below.
Adobe's Director of Engineering for CF, Ashish Garg, recently held a wide-ranging interview with Michaela Light (on the CF Alive podcast) about the CF2020 roadmap. Ashish shared news of some substantial changes planned in the next release regarding modularity in the engine, the size of installers/containers, and their startup time, as well as matters like licensing of containers, logging within them, monitoring of them, and more.
After sharing the talk titles and descriptions, first for the hour-long session and then for the day-long pre-conference session, I'll share a couple more thoughts, especially for those considering going to the conference, which I highly recommend.
And I share a bit more here, for my readers.
And if you HAVE already read part 1, if it was before Saturday morning, do go back and reread it. I had added some important info that I thought shouldn't wait to Part 2, which I knew could take me a while. See especially the sections there, "A brief introduction to the vulnerability and the fix", "Should you be worried?", and "What if you can't apply the update immediately, and can't wait for part 2?".
And my apologies for the delay in getting part 2 out. For various reasons, including related to additional research work I'm doing on this exploit beyond CF, I was unable to post this then. Better late than never, I hope. Indeed, I had listed quite a lot in Part 1 that I hoped to cover in a part 2. I don't want to delay getting this out any later, so I will get done today what I can and post that, and carry over into a part 3 (or beyond) whatever remains. There are some natural breaks, fortunately. Thanks for your patience.
Following are what I cover here in Part 2:
- More detail about the vulnerability and what was "fixed"
- Wouldn't an antivirus package on the server detect this sort of trojan?
- How to add further protection from it (especially if you may be unable to implement the update for some reason)
- Considering running a security scan of your CFML code
- Consider implementing a web application firewall
- How to prevent execution of the files used in the attack, if they may already be on your server
- Another benefit of applying the latest updates
- What about Lucee?
All CF shops are urged to install this update immediately, to implement new protections against a known attack happening in the wild. It's identified in the associated Adobe Product Security Bulletin, APSB19-14, as a priority 1 critical vulnerability.
I will add that I can vouch personally for the significance of the vulnerability, as I reported it to the Adobe Product Security Incident Response Team (PSIRT), and I proposed the fix which was implemented. (I also know what was done specifically to perpetrate the attack, and the very negative consequences of what happened once the server of a client of mine was attacked. You don't want this to happen to you.) I plan to share much more in a part 2 post (now posted, but do see below for the context it builds upon).
(In the meantime, I have tweaked this part 1 since originally posting it, to share more here.)
It's basically presenting the same info I've been offering in my talk of the same name, such as at conferences like CF Summit and CFCamp last year, and that I will at the CF Summit East 2019 in DC in April. Of course, in blog form I can elaborate things a little more.
So far I have done the following parts: