After reviewing the report and confirming the vulnerability, the Lucee team then conducted a further security review and found additional vulnerabilities which have been addressed as part of this security update.
Latest Stable Releases
Backported Stable Releases
In addition, as we are aware that some Lucee users have not yet upgraded from older versions, we have also published Stable Releases for these older versions with the vulnerability.
Anyone running these older releases are advised to hotfix immediately and then make plans to upgrade to the latest 184.108.40.206 Stable Release, which includes further additional hardening, as well as updated, CVE free java libraries.
@Zackster - in production I’m currently running 220.127.116.11 because at some point, later versions broke the websockets extension. Looks like the closest upgrade version that fixes this issue would be 18.104.22.168. A couple questions: 1) can I upgrade to 22.214.171.124 from the Update item in the Lucee admin and get the hotfix? And 2) Do you have any idea if the websockets extension was broken when Lucee updated to Tomcat 9, or if it was something in Lucee that did it?
When replacing the fat jar file in the lib dir, can I assume it doesn’t matter if you have other older fat jar files in there - and the engine knows (on restart) to deploy the latest? Not that I want to be downgrading, given the nature of this alert, but wondered if only keeping the latest was best practice. ty.
Thanks a ton - Zach and team for knocking this out, especially at a time when you are busy as hell. Wish I had been doing the fat jar deployments all along, as I have been fighting issues with .lco for some time.
126.96.36.199 looking rock solid - several hours of getting hammered on multiple nodes.