Lucee Critical Security Alert, August 15th, 2023 - CVE-2023-38693

Additionally, after seeing a thread on Slack by @dswitzer, who had issues within the Lucee Administrator (not being able to load certain administrator pages), I can confirm that I had a similar issue on test upgrades in Ubuntu (it might be the same on Windows): The Lucee Administrator were not fully deployed when upgrading with the full lucee-5.4.3.2.jar. If you are finding the same issues, you might need to do the following:

ATTENTION: Make a backup of your Administrator Settings first. This will wipe all settings made through your Lucee Administrator (e.g. password, mappings, etc).

UPDATED thanks to @Zackster remarks below:
Step 1: Stop Lucee
Step 2: lucee-server.xml at path-to-lucee/tomcat/lucee-server/context/lucee-server.xml
Step 2: delete “lucee-server” directory
Step 3: restart Lucee and wait Lucee to fully redeploy your “lucee-server” folder.
Step 4: copy the lucee-server.xml back to the path-to-lucee/tomcat/lucee-server/context/lucee-server.xml

that’s a bit extreme nuking that whole folder, you can backup the lucee-server.xml file to keep all your settings, we are investigating this problem

1 Like

stopping the server, deleting cfclasses and restarting seems to do the trick

For anyone having issues getting a 404 with the when accessing either /lucee/admin/server.cfm or /lucee/admin/web.cfm, the problem is that for some reason Lucee cannot find the “overview” page. This is the only administrator page that seems to be a problem and there appear to be several workarounds:

  • You can go manually alter the URL and go to any other admin page (e.g. /lucee/admin/server.cfm?action=server.cache). Every other page appears to work, just avoid the “overview” page.
  • Keep restarting Tomcat (or your servlet engine) until it works. Usually restarting Tomcat once is enough to get it to work, but sometimes I’ve had to restart multiple times.

Either way, it eventually will start working. From what I can tell, once it starts working it seems to be fine. However, I haven’t done enough testing to know if it might stop working again on a future restart of Tomcat.

2 Likes

In response to andreas:
I am sorry I was not clear about what was wrong. My bad!

The install does work. The apps come up and I can login and see no issue. I just cannot access the admin.

We chose to go with the light version and only use the extensions we need. With light, we absolutely did have the admin extension separate.

In response to Zackster:
The URL I have always used: https://[hostname]:[hostport]/[appname]/lucee/admin/server.cfm

Something I just realized this morning is the instances we have on our local developer workstations which are running Windows, the admin opens just fine. We have two different servers for dev and test as we are in the middle of upgrade. dev is RHEL8 and test is RHEL7. The admin with the above URL will not open…just 404 error.

EDIT:

Something hit me about what Zackseter said so I removed the [APPNAME] from the URL and the admin is again accessible.

The overview page just ways
image

Seriously, thank you all for helping work through this.

2 Likes

We only have in place a single docker build process, so that’s what we used to provide for this critical patch

our current docker image is latest java 11, latest tomcat 9 on top of a fully up to date ubuntu image with as few CVEs in the base ubuntu image as possible

you need to take into consideration and differentiate between OS patches and java patches, headline numbers are meaningless

If you want to reuse the older CVE ridden docker image, feel free to do some docker kung-fu yourself at top the old image and use that.

I don’t know why this works but I fixed the “requested action doesn’t exist” error on the 5.4.3.2 overview page by installing and then uninstalling the Chart Extension.

Went to follow freddybob’s suggestion just now and the overview page is magically working again :face_with_raised_eyebrow:

I just published 5.4.3.4-SNAPSHOT, this should solve

2 Likes

FYI This regression was just reported by a user updating from 5.3.10

https://luceeserver.atlassian.net/browse/LDEV-4676

3 Likes

Hi Zackster and all the community, sorry for my ignorance, but based on this information:

If our server is already running 5.3.8.237, how we temporarly hotfix it (while we make the necessary changes in our code and do all the battery of tests to be compatible with 5.4.3.2)?

Thank You!

Hi I tried the upgrade to 5.4.3.2 but it breaks CFFTP

com.jcraft.jsch.JSchAlgoNegoFailException: Algorithm negotiation fail: algorithmName=“server_host_key” jschProposal=“ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256” serverProposal=“ssh-dss”

I had that issue also, I fixed it by stopping lucee for 120 seconds then starting her again

1 Like

that’s due to the upgraded jsch library, which has turned off older insecure algorithms by default

did you look in jira? https://luceeserver.atlassian.net/browse/LDEV-4621?jql=text%20~%20"Algorithm%20negotiation%20fail*" there’s a workaround

5.3.8.237 as per this advisory is patched against the CVE, so you are all good

1 Like

@Zackster We are considering if we should update, since it will be a tedious process in our case, while at the same time we will be phasing out the software that includes Lucee soon.
Therefore I am looking for more information to assess the risk of this vulnerability. Is more information available regarding the CVE? What exactly is the vulnerability? Is it known if is has been exploited already?

I think we’d all :gift_heart: a full write up at some point, as I don’t see an obvious exploit chain from ‘svg can contain local file content’ per NVD - CVE-2023-38633 to compromise of Lucee (via admin ?)

There is a write up coming, however, we have a few open regressions with 5.4.3 which have all been addressed 5.4.3.7-SNAPSHOT, once that is tested and a new stable comes out, then a write up will be posted

2 Likes

Just adding a note that CVE-2023-38633 is an unrelated vulnerability. Too many numbers, and too easy to get them jumbled. :joy: This vulnerability is CVE-2023-38693, and the CVE record is still “reserved.”

3 Likes