Lucee Critical Security Alert, August 15th, 2023 - CVE-2023-38693

The Lucee team received a responsible disclosure for a security vulnerability which affects all previous releases of Lucee.

image1600×900 88.8 KB

After reviewing the report and confirming the vulnerability, the Lucee team then conducted a further security review and found additional vulnerabilities which have been addressed as part of this security update.

Latest Stable Releases

• 5.4.3.2 (recommended)
• 5.3.12.1

Backported Stable Releases

In addition, as we are aware that some Lucee users have not yet upgraded from older versions, we have also published Stable Releases for these older versions with the vulnerability.

• 5.3.9.173
• 5.3.8.237
• 5.3.7.59

Anyone running these older releases are advised to hotfix immediately and then make plans to upgrade to the latest 5.4.3.2 Stable Release, which includes further additional hardening, as well as updated, CVE free java libraries.

As usual, these new versions are available via

• Lucee Admin
• https://download.lucee.org including Windows and Linux installers
• Commandbox https://www.forgebox.io/view/lucee?filter=stable#versions
• Maven https://mvnrepository.com/artifact/org.lucee/lucee (uploaded just not showing on the listing)
• Official Lucee Docker Images Docker

To immediately patch a server, drop the appropriate .lco / core file from https://download.lucee.org into your install’s `lucee-server\deploy`` folder, i.e. https://cdn.lucee.org/5.4.3.2.lco

Updating via the deploy folder is exactly the same process as updating via the Lucee admin.

To receive emails regarding advisories like this, please sign up for our Announcement mailing list

All these builds have XXE mitigations enabled by default

You can override them using xmlFeatures settings in Application.cfc, or in 5.4.3.2 you can override them with isXml() or xmlParse() on a case by case basis

Just to check my understanding, 5.4.2.x is vulnerable, and the recommended action is to upgrade to 5.4.3.x ?

yes

We haven’t upgraded in a long time. Will this patch work with 5.3.4.77?

updating to 5.3.7.59 should work

You’re going to need to test though. There are potential breaking changes, like with the XSS. We were not able to upgrade from 5.3.8.206 to 5.3.8.237 without making changes.

IMPORTANT — If you’re having trouble updating via the Admin (which uses the ICO patch approach), try replacing your JAR with the fat JAR file.

This means instead of applying the update with 5.4.3.2.lco, use the full lucee-5.4.3.2.jar found on https://download.lucee.org/ and update your full install.

the fat jar is the lucee file found under the /lib directory, i.e. the lucee-6.0.0.381-SNAPSHOT.jar

image1144×490 26.1 KB

that’s the lucee.jar file on the downloads page

image548×857 37.3 KB

you need to shutdown lucee, replace the jar and restart

@Zackster - in production I’m currently running 5.3.8.206 because at some point, later versions broke the websockets extension. Looks like the closest upgrade version that fixes this issue would be 5.3.8.237. A couple questions: 1) can I upgrade to 5.3.8.237 from the Update item in the Lucee admin and get the hotfix? And 2) Do you have any idea if the websockets extension was broken when Lucee updated to Tomcat 9, or if it was something in Lucee that did it?

I believe it those problems are indeed Tomcat 9 related, pretty sure you’ll be fine with .237

@bennadel asked me, so I’m sharing this info

Anyone wondering about the new docker images naming, with the names like Jammy / Focal, that’s the ubuntu base image, i.e. lucee/lucee:5.4.3.2-nginx-tomcat9.0-jdk8-temurin-focal

• Jammy is Ubuntu 22.0.4 LTS
• Focal is Ubuntu 20.04 LTS

Temurin is the Eclipse Java distribution, same as we use for the Lucee installers via https://adoptium.net/

OpenJDK stopped creating images for older java versions, hence the switch

The good news is that these new docker images are super up to date and CVE free

Is 5.3.10.97 vulnerable? I don’t see a Backported Stable Release for 5.3.10.x

When replacing the fat jar file in the lib dir, can I assume it doesn’t matter if you have other older fat jar files in there - and the engine knows (on restart) to deploy the latest? Not that I want to be downgrading, given the nature of this alert, but wondered if only keeping the latest was best practice. ty.

pretty sure there should be only one jar in the /lib folder, change the old one to .jar-old or something

Oh, nice, we use FROM 5.x.y.z-nginx so it Just Worked a few versions back, with some minor tweaks to things like Java paths.

I can vouch for a massive reduction in the CVE count, at least as reported by Amazon ECR service.

all Lucee versions except the versions listed above as patched are vulnerable

5.3.11 and 5.3.12 are both small releases and very close to 5.3.10 and include additional hardening, so we didn’t release a 5.3.10 or 5.3.11 patch

same goes for 5.4, we didn’t patch 5.4.0, 5.4.1 and 5.4.2 as they are all cumulative bug fix releases, so we released 5.4.3 which contains all those fixes, the patches and the hardening

Thanks a ton - Zach and team for knocking this out, especially at a time when you are busy as hell. Wish I had been doing the fat jar deployments all along, as I have been fighting issues with .lco for some time.
5.4.3.2 looking rock solid - several hours of getting hammered on multiple nodes.

Is there a test which confirms a newly patched Lucee server is indeed protected?

(Just to make sure the patch was done correctly.)

CommandBox 5.9.1 is now released, which bundles Lucee 5.4.3.2 as the bundled engine and default server.