Log4j & lucee-

I received a message from our diligent IT dept.:
"According to its self-reported version number, the installation of Apache Log4j on the remote host is no longer supported. Log4j reached its end of life prior to 2016.

Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities."

Path : C:\lucee\lib\lucee-

There is only that one file in the lib folder, but that version number (as it implies to me) is not the version currently running on the server: Current Version ( )

Windows server reports that C:\lucee\lib\lucee- in use (although “open files” does not show that).

I work with the /lucee/admin/server.cfm interface, and not system files. I installed initially about 6 years ago whichever version that was, and have updated about yearly since through the interface. How would this security issue be resolved? Thanks.

1 Like

Upgrade to the latest version of Lucee.
The Log4j issue was patched within a day or less as soon as the vulnerability came out.

Thanks. I did just upgrade to the full release Do you mean to use a 5.4 snapshot?

BTW. The lucee- file persisted through the upgrade and is still dated 12/16/2020

There are two things

  1. The Jar
  2. The Service engine that runs the jar

Restart the service engine, IE tomcat, or whatever (usually its tomcat)


Thanks. So I stopped and started the Tomcat service. Of course, Lucee won’t run without it (as configured) and so I can’t use the interface to run a Lucee update again. If I remove the jar file, again Lucee won’t run of course. I don’t see an option here. To fix the security problem listed, do I need to re-install? Haven’t needed to do that in years… unless Lucee never was updating anyway.

Lucee updates only fix the JAR / Lucee servlet itself.
The engine, if it is the problem, then you would need to update that, ie tomcat.

re-installation is best as atleast you will have a newer version of tomcat, and with it all the security fixes that come with an updated version of tomcat.

Otherwise, you can just restart tomcat , which under windows OS,
in the box, type in services.msc
In the services menu, you should have something like “Lucee Tomcat …”
Click on it, and click start

1 Like

@dlrider Lucee comes in two pieces

  • the loader
  • the core

When you update Lucee from the admin, you are updating the loader, which is loaded at runtime via OSGI and allows in-place updating.

But in your case, the scan is complaining about this file, which is the loader.

So you have two choices:

  • re-install Lucee from scratch with the latest installer
  • update the lucee loader jar in-place

I’d start with option 2 as Lucee is pretty darn good about in-place upgrades of the loader jar. Just make a backup of your server first. Just download the latest Lucee jar from here:

And then stop Lucee, swap out C:\lucee\lib\lucee- with the new one. Make sure you actually remove the old jar and there’s no need to rename the new jar. Just put it in the lib folder and start Lucee back up. This process will update both the loader and the core (which is bundled inside the loader) and should get you completely free of Log4j version 1.


Thanks. Yes, found this page again https://docs.lucee.org/guides/updating-lucee/update.html Even though it says for an existing installation

Simply click the “execute update” button to patch your current version

That doesn’t work. So I downloaded the recent lucee jar, stopped the service, placed it there (i.e., in lucee/lib, not anything under the tomcat directory), removed the old and restarted the service. Voila. Success.

1 Like

Thanks. So,

So you have two choices:

  • re-install Lucee from scratch with the latest installer
  • update the lucee loader jar in-place

The 2nd option is what I should do each time for any update?

how do I mark two responses as solution?

You can’t. Just pick one :slight_smile:

Only if you need to update the Lucee core jar, which is not very often at all. For small, normal updates, updating the core (via the web admin) is fine. It’s not very often an actual class file in the loader needs replaced. It’s like the bootstrap.


Thank you bdw429s and Terry_Whitney :smiley: