Additionally, after seeing a thread on Slack by @dswitzer, who had issues within the Lucee Administrator (not being able to load certain administrator pages), I can confirm that I had a similar issue on test upgrades in Ubuntu (it might be the same on Windows): The Lucee Administrator were not fully deployed when upgrading with the full lucee-5.4.3.2.jar. If you are finding the same issues, you might need to do the following:
ATTENTION: Make a backup of your Administrator Settings first. This will wipe all settings made through your Lucee Administrator (e.g. password, mappings, etc).
UPDATED thanks to @Zackster remarks below:
Step 1: Stop Lucee
Step 2: lucee-server.xml at path-to-lucee/tomcat/lucee-server/context/lucee-server.xml
Step 2: delete “lucee-server” directory
Step 3: restart Lucee and wait Lucee to fully redeploy your “lucee-server” folder.
Step 4: copy the lucee-server.xml back to the path-to-lucee/tomcat/lucee-server/context/lucee-server.xml
For anyone having issues getting a 404 with the when accessing either /lucee/admin/server.cfm or /lucee/admin/web.cfm, the problem is that for some reason Lucee cannot find the “overview” page. This is the only administrator page that seems to be a problem and there appear to be several workarounds:
You can go manually alter the URL and go to any other admin page (e.g. /lucee/admin/server.cfm?action=server.cache). Every other page appears to work, just avoid the “overview” page.
Keep restarting Tomcat (or your servlet engine) until it works. Usually restarting Tomcat once is enough to get it to work, but sometimes I’ve had to restart multiple times.
Either way, it eventually will start working. From what I can tell, once it starts working it seems to be fine. However, I haven’t done enough testing to know if it might stop working again on a future restart of Tomcat.
In response to andreas:
I am sorry I was not clear about what was wrong. My bad!
The install does work. The apps come up and I can login and see no issue. I just cannot access the admin.
We chose to go with the light version and only use the extensions we need. With light, we absolutely did have the admin extension separate.
In response to Zackster:
The URL I have always used: https://[hostname]:[hostport]/[appname]/lucee/admin/server.cfm
Something I just realized this morning is the instances we have on our local developer workstations which are running Windows, the admin opens just fine. We have two different servers for dev and test as we are in the middle of upgrade. dev is RHEL8 and test is RHEL7. The admin with the above URL will not open…just 404 error.
We only have in place a single docker build process, so that’s what we used to provide for this critical patch
our current docker image is latest java 11, latest tomcat 9 on top of a fully up to date ubuntu image with as few CVEs in the base ubuntu image as possible
you need to take into consideration and differentiate between OS patches and java patches, headline numbers are meaningless
If you want to reuse the older CVE ridden docker image, feel free to do some docker kung-fu yourself at top the old image and use that.
I don’t know why this works but I fixed the “requested action doesn’t exist” error on the 5.4.3.2 overview page by installing and then uninstalling the Chart Extension.
Hi Zackster and all the community, sorry for my ignorance, but based on this information:
If our server is already running 5.3.8.237, how we temporarly hotfix it (while we make the necessary changes in our code and do all the battery of tests to be compatible with 5.4.3.2)?
@Zackster We are considering if we should update, since it will be a tedious process in our case, while at the same time we will be phasing out the software that includes Lucee soon.
Therefore I am looking for more information to assess the risk of this vulnerability. Is more information available regarding the CVE? What exactly is the vulnerability? Is it known if is has been exploited already?
I think we’d all a full write up at some point, as I don’t see an obvious exploit chain from ‘svg can contain local file content’ per NVD - CVE-2023-38633 to compromise of Lucee (via admin ?)
There is a write up coming, however, we have a few open regressions with 5.4.3 which have all been addressed 5.4.3.7-SNAPSHOT, once that is tested and a new stable comes out, then a write up will be posted
Just adding a note that CVE-2023-38633 is an unrelated vulnerability. Too many numbers, and too easy to get them jumbled. This vulnerability is CVE-2023-38693, and the CVE record is still “reserved.”