@OKliewer I’m not sure I’m understanding your post correctly.
Is the issue that you can’t access the admin, or that you can’t upgrade?
The lucee light version doesn’t have any extension, so it doesn’t have any Lucee Administrator (which is an extension).
If I want to install the default lucee jar and have issues like you’re having, i’d do the following:
Important: The steps below will also wipe out previous settings saved to your Web-/Server-Administrators, so if you had any settings saved there, do a settings export with CommndBox cfconfig tool as backup or back them up differently (snapshot, image or whatever).
stop Lucee service/instance,
remove the old lucee.jar from the lib folder
drop the new lucee.jar into the lib folder
remove the directory /path-to-lucee-installation/tomcat/lucee-server
remove the web-inf folder of each web-context(usually in the wwwroot of your application)
restart Lucee and wait for the contexts to be created
This will deploy a new and clean lucee-server directory and also the web-inf context folders.
There seems to be a substantial change to the Docker image between 22.214.171.124 and 126.96.36.199. Here’s the Docker hub scan results of two images of our app that differ only in the Lucee image version:
(1.19 is 188.8.131.52, 1.20 is 184.108.40.206)
That seems to be a big change. Have you changed anything other that the mitigation for this CVE in this image? I note there was a 220.127.116.11 between .166 and 1.73 too: I will try to dig out a list of what went into .172 and check how that stuff might be likely to change the base image.
I see there’s also a 18.104.22.168, so checked that too.
Additionally, after seeing a thread on Slack by @dswitzer, who had issues within the Lucee Administrator (not being able to load certain administrator pages), I can confirm that I had a similar issue on test upgrades in Ubuntu (it might be the same on Windows): The Lucee Administrator were not fully deployed when upgrading with the full lucee-22.214.171.124.jar. If you are finding the same issues, you might need to do the following:
ATTENTION: Make a backup of your Administrator Settings first. This will wipe all settings made through your Lucee Administrator (e.g. password, mappings, etc).
UPDATED thanks to @Zackster remarks below:
Step 1: Stop Lucee
Step 2: lucee-server.xml at path-to-lucee/tomcat/lucee-server/context/lucee-server.xml
Step 2: delete “lucee-server” directory
Step 3: restart Lucee and wait Lucee to fully redeploy your “lucee-server” folder.
Step 4: copy the lucee-server.xml back to the path-to-lucee/tomcat/lucee-server/context/lucee-server.xml
For anyone having issues getting a 404 with the when accessing either /lucee/admin/server.cfm or /lucee/admin/web.cfm, the problem is that for some reason Lucee cannot find the “overview” page. This is the only administrator page that seems to be a problem and there appear to be several workarounds:
You can go manually alter the URL and go to any other admin page (e.g. /lucee/admin/server.cfm?action=server.cache). Every other page appears to work, just avoid the “overview” page.
Keep restarting Tomcat (or your servlet engine) until it works. Usually restarting Tomcat once is enough to get it to work, but sometimes I’ve had to restart multiple times.
Either way, it eventually will start working. From what I can tell, once it starts working it seems to be fine. However, I haven’t done enough testing to know if it might stop working again on a future restart of Tomcat.
In response to andreas:
I am sorry I was not clear about what was wrong. My bad!
The install does work. The apps come up and I can login and see no issue. I just cannot access the admin.
We chose to go with the light version and only use the extensions we need. With light, we absolutely did have the admin extension separate.
In response to Zackster:
The URL I have always used: https://[hostname]:[hostport]/[appname]/lucee/admin/server.cfm
Something I just realized this morning is the instances we have on our local developer workstations which are running Windows, the admin opens just fine. We have two different servers for dev and test as we are in the middle of upgrade. dev is RHEL8 and test is RHEL7. The admin with the above URL will not open…just 404 error.