With the recently published Lucee vulnerabilities (HoyaHaxa: A Security Research Blog: Thinking Defensively about Three Recent Lucee Vulnerabilities), I see that the RCE issue with isDefined(), structGet() and empty() can be prevented using the new lucee.security.limitEvaluation environment property, but it requires Lucee 5.4.5.8 or higher, which are currently only available as Snapshots.Any idea when a production release of 5.4.5.x will be made?
2 Likes
Even if you’re not patched - you can avoid being vulnerable/exploitable by not passing user-controlled input to those functions, and by configuring the client management/client storage settings as described. That was the gist of what I was trying to get across in the post.
What worries me is not our code, but for instance - things like Masa / Mura and what might happen somewhere buried in the code.
1 Like
Good point. However - it may also be worth noting that (I believe) Masa / Mura are intentionally evaluating the variable in this instance (params.method), and turning on Lucee’s “limit evaluation” settings may break that. The Masa (and I’m assuming, Mura) fix was to check to ensure that the value of params.method was in the format of a valid variable name.
Does 5.4.5.15-RC contain the patch? I upgraded to 5.4.5.15-RC, however I am not seeing the “Limit variable evaluation in functions/tags” option in the Lucee Admin under Security.
Maybe because it has only been implemented to Lucee 6 and still needs to be backported to the other versions?
Makes sense. The initial post in this thread suggested that Lucee 5.4.5.8 and above were not vulnerable to this threat. I was hoping 5.4.5.15-RC would work in the interim.