There has been a lot of discussion in the Java community and press recently about a vulnerability found in the Apache Commons Collection library used by many different Java projects. We would like to address the concerns that you might have with this with respect to Lucee.
Lucee does include the Apache Commons Collection library. However, LAS have thoroughly checked the class in question and confirmed that this is not exposed through Lucee at all; either in code implemented by the Lucee team or, to the best of our knowledge, in code from included external libraries.
There are several servlet containers however that are affected, these being JBoss, WebSphere, and WebLogic and if you are using any of these we would recommend you consult the vendor’s websites and find out what remedial action you can take to fix this vulnerability.
Full details on the vulnerability can be found in the original blog post: