Lucee 5.4.3.11-RC is out

Zackster · September 23, 2023, 10:24am

This is a bug fix release addressing the all the regressions found in 5.4.3 (all the 5.4.4.x fixes are backported into this RC as well)

Plan is for a quick RC, as people have been testing all the fixes along the way.

Assuming there are no regressions found, we will be merging the private CVE branch back into the public branch a week after the stable release, so if you haven’t already upgraded to a CVE version, it’s time to update.

Here’s is the epic for the all the bugs addressed in RC 5.4.3 regressions

the RC Builds are up in all the normal places

I have also backported the admin fixes to the 5.3.12.3-SNAPSHOT (remember 5.3 is EOL, as per our roadmap)

There is also a an updated S3 2.0.1.10-SNAPSHOT which addresses bugs relating to the s3 region handling with non AWS providers, which isn’t included in this build but is available for testing

Heads up, if your server is behind a firewall, you will need to update via the full jar, as we have upgraded commons-compress due to a CVE relating to tar handling

As for Lucee 6 is coming along well, we will be releasing a new RC in the next week or so

Zackster · September 23, 2023, 10:25am

Miguel-F · September 28, 2023, 12:05pm

Being new to the Lucee ecosystem I’m not sure what you mean by the following statement. Can you elaborate?

How do we know what is or is not a “CVE version”?

David_Raschper · September 28, 2023, 1:17pm

This means that the vulnerability is getting published. So make sure that you are using a Lucee version that does not have this vulnerability. Which versions are fixed you can see in this thread:

Miguel-F · September 28, 2023, 1:34pm

Thanks for the reply David. My question was if there was a way to know which versions include a patch for CVE from the Lucee downloads page itself. That is how I was reading Zac’s original message. I guess there is not a way to know except by following this list and checking for specific messages regarding CVEs. Thanks for pointing that out.

Also by subscribing to the email notifications. Which I have done but not received any emails from that yet. I signed up after that CVE was patched however.

andreas · September 28, 2023, 6:53pm

The patched version have been published here:

However, there have been some regression (e.g. the admin issue that I think you’ve also experienced). Everything afterwards should be CVE free. The thing is that the Lucee dev team didn’t make the CVE changes public on the source repository(the commits and changes can’t be seen on github) just to make sure to make reverse engineering more diffucult). That gave admins more time time to upgrade. But, the issue is probably going to be disclosed soon, so this is a warning that the finder of the issue is likely to be publish the CVE with a poc soon

Miguel-F · September 28, 2023, 7:23pm

That makes sense. Thanks Andreas

Zackster · September 29, 2023, 1:53pm

really would like some testing feedback from people…

I’ve had only a few people report back no problems

not enough RC feedback, no release…

andreas · September 29, 2023, 10:25pm

@Zackster I’d really love to test it, but I had no time at all… lots of changes going on in my life right now … but I promise I’ll do it soon.

ChipNCharge · October 2, 2023, 9:55pm

I spent an hour-and-a-half going through our application after upgrading to 5.4.3.11-RC. I’m having three other devs upgrade and hoping I can get our QA to run a full automation on the app tomorrow. The only thing I encountered is the pesky bug where I have to upgrade or downgrade OWASP/ESAPI to be able to log into the secure areas on our app.

Knut · October 5, 2023, 8:31am

Should the feedback be posted here in the forum or directly via message to you?

thefalken · October 5, 2023, 9:51am

not enough RC feedback, no release…

Seems a fair enough comment to me. There’s no need to hit a particular release date or interval is there ?

I’m going to be testing the S3 changes later today, if nothing catches fire

ChipNCharge · October 5, 2023, 7:08pm

@Zackster I may have found a bug. Upgraded from 5.3.7.48. When trying to use cfspreadsheet to read an Excel file, we get the Java error below. Downgraded and uploading and reading the file works.

java.lang.reflect.InvocationTargetException

The Error Occurred in
/org/cfpoi/spreadsheet/Spreadsheet.cfc: line 2343
called from /org/cfpoi/spreadsheet/Spreadsheet.cfc: line 32
called from /SpreadsheetRead.cfm: line 29
called from /spreadsheet.cfc: line 154

lucee.runtime.exp.NativeException: java.lang.reflect.InvocationTargetException
at org.apache.poi.POIXMLFactory.createDocumentPart(POIXMLFactory.java:63)
at org.apache.poi.POIXMLDocumentPart.read(POIXMLDocumentPart.java:625)
at org.apache.poi.POIXMLDocument.load(POIXMLDocument.java:186)
at org.apache.poi.xssf.usermodel.XSSFWorkbook.(XSSFWorkbook.java:260)
at org.apache.poi.ss.usermodel.WorkbookFactory.create(WorkbookFactory.java:181)
at org.apache.poi.ss.usermodel.WorkbookFactory.create(WorkbookFactory.java:140)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at lucee.runtime.reflection.pairs.MethodInstance.invoke(MethodInstance.java:56)
at lucee.runtime.java.JavaObject.call(JavaObject.java:265)
at lucee.runtime.java.JavaObject.call(JavaObject.java:287)
at lucee.runtime.util.VariableUtilImpl.callFunctionWithoutNamedValues(VariableUtilImpl.java:787)
at lucee.runtime.PageContextImpl.getFunction(PageContextImpl.java:1775)
at org.cfpoi.spreadsheet.spreadsheet_cfc$cf.udfCall8(/org/cfpoi/spreadsheet/Spreadsheet.cfc:2343)
at org.cfpoi.spreadsheet.spreadsheet_cfc$cf.udfCall(/org/cfpoi/spreadsheet/Spreadsheet.cfc)
at lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:112)
at lucee.runtime.type.UDFImpl._call(UDFImpl.java:350)
at lucee.runtime.type.UDFImpl.callWithNamedValues(UDFImpl.java:213)
at lucee.runtime.type.scope.UndefinedImpl.callWithNamedValues(UndefinedImpl.java:804)
at lucee.runtime.util.VariableUtilImpl.callFunctionWithNamedValues(VariableUtilImpl.java:866)
at lucee.runtime.PageContextImpl.getFunctionWithNamedValues(PageContextImpl.java:1794)
at org.cfpoi.spreadsheet.spreadsheet_cfc$cf.udfCall1(/org/cfpoi/spreadsheet/Spreadsheet.cfc:32)
at org.cfpoi.spreadsheet.spreadsheet_cfc$cf.udfCall(/org/cfpoi/spreadsheet/Spreadsheet.cfc)
at lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:112)
at lucee.runtime.type.UDFImpl._call(UDFImpl.java:350)
at lucee.runtime.type.UDFImpl.callWithNamedValues(UDFImpl.java:213)
at lucee.runtime.ComponentImpl._call(ComponentImpl.java:699)
at lucee.runtime.ComponentImpl._call(ComponentImpl.java:586)
at lucee.runtime.ComponentImpl.callWithNamedValues(ComponentImpl.java:1952)
at lucee.runtime.util.VariableUtilImpl.callFunctionWithNamedValues(VariableUtilImpl.java:866)
at lucee.runtime.PageContextImpl.getFunctionWithNamedValues(PageContextImpl.java:1794)
at spreadsheetread_cfm$cf.udfCall(/SpreadsheetRead.cfm:29)
at lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:112)
at lucee.runtime.type.UDFImpl._call(UDFImpl.java:350)
at lucee.runtime.type.UDFImpl.call(UDFImpl.java:223)
at lucee.runtime.functions.system.CFFunction.call(CFFunction.java:106)
at spreadsheet_cfc$cf.udfCall(/spreadsheet.cfc:154)
at lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:112)
at lucee.runtime.type.UDFImpl._call(UDFImpl.java:350)
at lucee.runtime.type.UDFImpl.callWithNamedValues(UDFImpl.java:213)
at lucee.runtime.ComponentImpl._call(ComponentImpl.java:699)
at lucee.runtime.ComponentImpl._call(ComponentImpl.java:586)
at lucee.runtime.ComponentImpl.callWithNamedValues(ComponentImpl.java:1952)
at lucee.runtime.tag.CFTag.cfcStartTag(CFTag.java:384)
at lucee.runtime.tag.CFTag.doStartTag(CFTag.java:178)
at _import.savemain_cfm$cf.call(/import/saveMain.cfm:82)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:1056)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:948)
at lucee.runtime.PageContextImpl.doInclude(PageContextImpl.java:929)
at _import.wizard_cfm$cf.call(/import/wizard.cfm:30)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:1056)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:948)
at lucee.runtime.listener.ClassicAppListener._onRequest(ClassicAppListener.java:65)
at lucee.runtime.listener.MixedAppListener.onRequest(MixedAppListener.java:45)
at lucee.runtime.PageContextImpl.execute(PageContextImpl.java:2493)
at lucee.runtime.PageContextImpl._execute(PageContextImpl.java:2478)
at lucee.runtime.PageContextImpl.executeCFML(PageContextImpl.java:2449)
at lucee.runtime.engine.Request.exe(Request.java:45)
at lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1216)
at lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:1162)
at lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:102)
at lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:479)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.poi.POIXMLException: java.lang.reflect.InvocationTargetException
… 86 more
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.apache.poi.xssf.usermodel.XSSFFactory.createDocumentPart(XSSFFactory.java:56)
at org.apache.poi.POIXMLFactory.createDocumentPart(POIXMLFactory.java:60)
… 85 more
Caused by: java.lang.NullPointerException
at org.apache.felix.framework.util.WeakZipFileFactory$WeakZipFile$WeakZipInputStream.read(WeakZipFileFactory.java:690)
at java.io.DataInputStream.readInt(DataInputStream.java:387)
at org.apache.xmlbeans.impl.schema.SchemaTypeSystemImpl.crackPointer(SchemaTypeSystemImpl.java:1467)
at org.apache.xmlbeans.impl.schema.SchemaTypeLoaderImpl.crackPointer(SchemaTypeLoaderImpl.java:345)
at org.apache.xmlbeans.impl.schema.SchemaTypeLoaderImpl.crackEntry(SchemaTypeLoaderImpl.java:340)
at org.apache.xmlbeans.impl.schema.SchemaTypeLoaderImpl.typeSystemForComponent(SchemaTypeLoaderImpl.java:256)
at org.apache.xmlbeans.impl.schema.SchemaTypeLoaderImpl.findDocumentTypeRef(SchemaTypeLoaderImpl.java:430)
at org.apache.xmlbeans.impl.schema.SchemaTypeLoaderBase.findDocumentType(SchemaTypeLoaderBase.java:129)
at org.apache.xmlbeans.impl.store.Locale.autoTypeDocument(Locale.java:319)
at org.apache.xmlbeans.impl.store.Locale.parseToXmlObject(Locale.java:1391)
at org.apache.xmlbeans.impl.store.Locale.parseToXmlObject(Locale.java:1370)
at org.apache.xmlbeans.impl.schema.SchemaTypeLoaderBase.parse(SchemaTypeLoaderBase.java:370)
at org.apache.poi.POIXMLTypeLoader.parse(POIXMLTypeLoader.java:116)
at org.openxmlformats.schemas.drawingml.x2006.main.ThemeDocument$Factory.parse(Unknown Source)
at org.apache.poi.xssf.model.ThemesTable.(ThemesTable.java:85)
… 91 more

ChipNCharge · October 5, 2023, 9:17pm

Oops. That’s not in Lucee itself. My bad.

sebduggan · October 8, 2023, 10:12am

Currently running 5.4.3.14-RC with no issues. Is there anything in particular I should be looking out for or validating?

Miguel-F · October 9, 2023, 3:39pm

FYI, a stable version has already been released - 5.4.3.15.

Lucee 5.4.3.15 Stable Release

benser · October 10, 2023, 11:44am

Did you figure out a solution for this? I am having the same problem

ChipNCharge · October 10, 2023, 2:04pm

We are using this spreadsheet tool instead. It requires a little bit of refactoring but it’s not too bad of a change. https://github.com/cfsimplicity/spreadsheet-cfml