NicoTexas
Explorer
NicoTexas
Explorer
Activity
‎Jan 04, 2024
06:59 AM
Thank you Charlie! You are right it does not matter that much in the Docker/Container world but I suspect someone would like to use other memory settings than -Xms and -Xmx, I will log a bug and report back here. As for the immutability of a container, I could not find a way to get pre-installed modules, having those installed at first start is less than ideal. I had a look at your compose collection and this is really helpful. I need to dig in the cfsetup CLI tool as I used to have a CFM script from CF 2018 and it feels clunky at best. As for Garbage Collection, well, it all depends on the memory usage. By default CF is using parallel GC and I guess for most people it will be OK, but for large application with significant number of users having memory going over 4GB would not be surprising. It also depends if you are looking for response time over throughput. I actually also want to experiment with the Z Collector, but at the end all JVM tuning is black magic and really depends on your application and what it does. See Java 17 documentation https://docs.oracle.com/en/java/javase/17/gctuning/available-collectors.html#GUID-414C9D95-297E-4EE3-B0D9-36F158A83393
... View more
‎Jan 03, 2024
09:28 PM
Hey, trying to setup CF 2023 / Java 17 to run properly on Kubernetes and while trying to setup jvm.config and setting -XX:MaxRAMPercentage=70 -XX:InitialRAMPercentage=70 rather than something like -Xms1024m -Xmx1024m as it is much easier to manage regarding the pods memory requests, Service is starting just fine but the "Java and JVM" admin console is broken with error Element JDKPATH is undefined in FORM. The specific sequence of files included or processed is: /opt/coldfusion/cfusion/wwwroot/CFIDE/administrator/settings/jvm.cfm, line: 227 My guess is that console is trying to read -Xms and -Xmx values in a non safe way and should fail gracefully or even better deal with XX:MaxRAMPercentage and XX:InitialRAMPercentage (and others). Also, would love to know if anybody has more experience on running CF 2023 in Kubernetes and some best practices for it. Really interested on Garbage Collection settings for example.
... View more
‎Dec 29, 2021
10:34 AM
And now there is a new version of Log4J 2.17.1 https://logging.apache.org/log4j/2.x/security.html to deal with https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832 which is a moderate severity. But as mentioned before Log4J is under scrutinity and our infosec team is asking relative quick response even for such moderate risk. Also, how does you get all the hot fixes patches for 2018 update 13?
... View more
‎Dec 17, 2021
07:06 AM
From my infosec team the new CVE on 2.15.0 is not as bad as the one it fixed and is not a 0 day. https://nvd.nist.gov/vuln/detail/CVE-2021-45046 Its severity base score is 3.7.where https://nvd.nist.gov/vuln/detail/CVE-2021-44228 was scored as a 10 on 10. Disclaimer, everyone is different and all depends on your configuration, setup, and usage of coldfusion.
... View more
‎Dec 13, 2021
01:40 PM
1 Upvote
That's a good point. Why is there both versions in the classpath, this is not great and hard to justify. Would love to understand what is actually used by the the default loggers. Also, why it takes so long to understand the possible impact?
... View more
‎Dec 13, 2021
11:30 AM
I think you forgot also to mention that you are actually logging the nefarious script. That said, this is really common to log a user login tentative, so most likely your login page is going to be the first and easiest piece to attack. My take is that, even this takes few things to make you vulnerable, Adobe should provide a patched CF update asap. My expectation is that it should have been worked out over the week-end and available already. Apache did a great job to provide a fix for the library in a record time. It's not like there is not an easy path to patch. You can't just hope your clients are monitoring/restricting all the inbound/outbound traffic. They owe their user base a secured solution, especially on those kind of vulnerability which is rather easy to exploit all considered.
... View more
‎Dec 13, 2021
11:19 AM
3 Upvotes
You can do as described earlier and replace 2.9.0 with 2.15.0. I tested locally on an update 10, and logs seem to work as expected. Of course, I can not guaratntee this is not going to affect your particular instance. You will need to test on your own test environments before deploying this fix to production.
... View more
‎Dec 13, 2021
09:49 AM
3 Upvotes
You will have to stop coldfusion service In coldfusion/cfusion/lib folder remove the files log4j-api-2.13.3.jar log4j-core-2.13.3.jar log4j-to-slf4j-2.13.3.jar And replace them with 2.15.0 version, then restart Coldfusion No need for config update if you do that.
... View more
‎Dec 13, 2021
09:07 AM
Don't think you need to update slf4j here, but I guess it won't hurt unless you are upgrading to a new major version 🙂 But good to know it was working for you too. We did not see any difference in our logs or alerts/dashboards based on logs
... View more
‎Dec 13, 2021
07:38 AM
5 Upvotes
We went ahead and patched "manually" our CF servers with log4j 2.15.0 on Friday morning by just replacing the 2.13.3 libraries in the cfusion lib directory. Just to clarify the extent of the vulnerability, it is in all log4j version since 2.0. So, an easy way to verify if you are affected is to check if you have log4j-core 2.x jar file in your classpath. We have seen through our monitoring some attempts to exploit this bug and our counter measures were effective, but I am glad we patched it anyway. I am shocked there is not already a patch available from Adobe. This is really something they should have released already...
... View more
‎Oct 18, 2021
03:00 PM
Oh, wow this is really helpful, and I wish it was indeed properly documented! I think it's OK for latest tag to exist as it's good for prototyping, quick tests, but should definitely not be the only option! Thank you Charlie
... View more
‎Oct 18, 2021
02:21 PM
Note that latest tag is an anti-pattern in Docker. It breaks the immutability contract of Docker. If you build an image from the tag 'latest-2021' you can end-up with 2 different versions depending on when the build happens without knowing it. It's sounds good and all for development but this is a rather bold move if you want to use that image in production. Can you please provide images for each updates? Like 2018-update11 2018-update12 2021-update1 2021-update2
... View more