I received a message from our diligent IT dept.:
"According to its self-reported version number, the installation of Apache Log4j on the remote host is no longer supported. Log4j reached its end of life prior to 2016.
Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities."
"’
Path : C:\lucee\lib\lucee-5.3.7.47.jar
There is only that one file in the lib folder, but that version number (as it implies to me) is not the version currently running on the server: Current Version ( 5.3.10.97 )
Windows server reports that C:\lucee\lib\lucee-5.3.7.47.jaris in use (although “open files” does not show that).
I work with the /lucee/admin/server.cfm interface, and not system files. I installed initially about 6 years ago whichever version that was, and have updated about yearly since through the interface. How would this security issue be resolved? Thanks.
David.
Thanks. So I stopped and started the Tomcat service. Of course, Lucee won’t run without it (as configured) and so I can’t use the interface to run a Lucee update again. If I remove the jar file, again Lucee won’t run of course. I don’t see an option here. To fix the security problem listed, do I need to re-install? Haven’t needed to do that in years… unless Lucee never was updating anyway.
Lucee updates only fix the JAR / Lucee servlet itself.
The engine, if it is the problem, then you would need to update that, ie tomcat.
re-installation is best as atleast you will have a newer version of tomcat, and with it all the security fixes that come with an updated version of tomcat.
Otherwise, you can just restart tomcat , which under windows OS,
Start,
Run
in the box, type in services.msc
In the services menu, you should have something like “Lucee Tomcat …”
Click on it, and click start
When you update Lucee from the admin, you are updating the loader, which is loaded at runtime via OSGI and allows in-place updating.
But in your case, the scan is complaining about this file, which is the loader.
So you have two choices:
re-install Lucee from scratch with the latest installer
update the lucee loader jar in-place
I’d start with option 2 as Lucee is pretty darn good about in-place upgrades of the loader jar. Just make a backup of your server first. Just download the latest Lucee jar from here: https://download.lucee.org/
And then stop Lucee, swap out C:\lucee\lib\lucee-5.3.7.47.jar with the new one. Make sure you actually remove the old jar and there’s no need to rename the new jar. Just put it in the lib folder and start Lucee back up. This process will update both the loader and the core (which is bundled inside the loader) and should get you completely free of Log4j version 1.
Blockquote
Simply click the “execute update” button to patch your current version
That doesn’t work. So I downloaded the recent lucee jar, stopped the service, placed it there (i.e., in lucee/lib, not anything under the tomcat directory), removed the old and restarted the service. Voila. Success.
Only if you need to update the Lucee core jar, which is not very often at all. For small, normal updates, updating the core (via the web admin) is fine. It’s not very often an actual class file in the loader needs replaced. It’s like the bootstrap.
