After reviewing the report and confirming the vulnerability, the Lucee team then conducted a further security review and found additional vulnerabilities which have been addressed as part of this security update.
Latest Stable Releases
5.4.3.2 (recommended)
5.3.12.1
Backported Stable Releases
In addition, as we are aware that some Lucee users have not yet upgraded from older versions, we have also published Stable Releases for these older versions with the vulnerability.
5.3.9.173
5.3.8.237
5.3.7.59
Anyone running these older releases are advised to hotfix immediately and then make plans to upgrade to the latest 5.4.3.2 Stable Release, which includes further additional hardening, as well as updated, CVE free java libraries.
You’re going to need to test though. There are potential breaking changes, like with the XSS. We were not able to upgrade from 5.3.8.206 to 5.3.8.237 without making changes.
IMPORTANT — If you’re having trouble updating via the Admin (which uses the ICO patch approach), try replacing your JAR with the fat JAR file.
This means instead of applying the update with 5.4.3.2.lco, use the full lucee-5.4.3.2.jar found on https://download.lucee.org/ and update your full install.
@Zackster - in production I’m currently running 5.3.8.206 because at some point, later versions broke the websockets extension. Looks like the closest upgrade version that fixes this issue would be 5.3.8.237. A couple questions: 1) can I upgrade to 5.3.8.237 from the Update item in the Lucee admin and get the hotfix? And 2) Do you have any idea if the websockets extension was broken when Lucee updated to Tomcat 9, or if it was something in Lucee that did it?
Anyone wondering about the new docker images naming, with the names like Jammy / Focal, that’s the ubuntu base image, i.e. lucee/lucee:5.4.3.2-nginx-tomcat9.0-jdk8-temurin-focal
Jammy is Ubuntu 22.0.4 LTS
Focal is Ubuntu 20.04 LTS
Temurin is the Eclipse Java distribution, same as we use for the Lucee installers via https://adoptium.net/
OpenJDK stopped creating images for older java versions, hence the switch
The good news is that these new docker images are super up to date and CVE free
When replacing the fat jar file in the lib dir, can I assume it doesn’t matter if you have other older fat jar files in there - and the engine knows (on restart) to deploy the latest? Not that I want to be downgrading, given the nature of this alert, but wondered if only keeping the latest was best practice. ty.
all Lucee versions except the versions listed above as patched are vulnerable
5.3.11 and 5.3.12 are both small releases and very close to 5.3.10 and include additional hardening, so we didn’t release a 5.3.10 or 5.3.11 patch
same goes for 5.4, we didn’t patch 5.4.0, 5.4.1 and 5.4.2 as they are all cumulative bug fix releases, so we released 5.4.3 which contains all those fixes, the patches and the hardening
Thanks a ton - Zach and team for knocking this out, especially at a time when you are busy as hell. Wish I had been doing the fat jar deployments all along, as I have been fighting issues with .lco for some time.
5.4.3.2 looking rock solid - several hours of getting hammered on multiple nodes.