It’s been a bad few weeks for Adobe ColdFusion - several successive patches for security fixes. I haven’t seen any of it being discussed with regard to Lucee; so, I just wanted to see if there was any cause for concern on our side of the ecosystem?
This is in regard to: Active Exploitation of Multiple Adobe ColdFusion Vulnerabilities | Rapid7 Blog
Lucee has a rather stricter/more limited support for WDDX, so you can’t reference java types
I’m dropping a RC for 5.4.2 later today, as this XXE stuff should be on by default
We have proposed for a while to enable this protection by default for 6.0, which was widely agreed to.
After some internal discussions, we decided to also make this the default for 5.4, as security shouldn’t be opt in, Lucee should be secure by default.
These changes have been implemented in
5.4.2.10-SNAPSHOT
6.0.0.514-SNAPSHOT
There will be a 5.4.2 RC and Stable release in the coming weeks
https://foundeo.com/security/guide/xml-external-entities/
A little example…
2 Likes