Lucee Critical Security Alert, August 15th, 2023 - CVE-2023-38693

We are trying to apply to Starting of course with dev & test environments.

We do not use the admin or the .lco when applying patches. We replace the jar in lib. Normally we just use the light jar, but tried the fat jar in case that was our issue to no avail.

Every single attempt, the admin will not come up. We get an HTTP ERROR 404 when trying to hit it. We did try dropping the admin lco in the deploy folder again and that did not work either.

Normally applying patches is a 5 minutes per server and is the most stable maintenance we perform but this one has stumped us.

What are we missing?

@OKliewer I’m not sure I’m understanding your post correctly.

Is the issue that you can’t access the admin, or that you can’t upgrade?

The lucee light version doesn’t have any extension, so it doesn’t have any Lucee Administrator (which is an extension).

If I want to install the default lucee jar and have issues like you’re having, i’d do the following:

Important: The steps below will also wipe out previous settings saved to your Web-/Server-Administrators, so if you had any settings saved there, do a settings export with CommndBox cfconfig tool as backup or back them up differently (snapshot, image or whatever).

  1. stop Lucee service/instance,
  2. remove the old lucee.jar from the lib folder
  3. drop the new lucee.jar into the lib folder
  4. remove the directory /path-to-lucee-installation/tomcat/lucee-server
  5. remove the web-inf folder of each web-context(usually in the wwwroot of your application)
  6. restart Lucee and wait for the contexts to be created

This will deploy a new and clean lucee-server directory and also the web-inf context folders.

There has been quite a lot of additional hardening added to the admin, which url are you hitting?

You need to include the web.cfm or server.cfm, simply will no longer work

There seems to be a substantial change to the Docker image between and Here’s the Docker hub scan results of two images of our app that differ only in the Lucee image version:


(1.19 is, 1.20 is

That seems to be a big change. Have you changed anything other that the mitigation for this CVE in this image? I note there was a between .166 and 1.73 too: I will try to dig out a list of what went into .172 and check how that stuff might be likely to change the base image.

I see there’s also a, so checked that too.

I do not see anything in this lot that would create such a significant change in the Docker image:"LDEV"%20and%20fixVersion%20IN(

1 Like

Additionally, after seeing a thread on Slack by @dswitzer, who had issues within the Lucee Administrator (not being able to load certain administrator pages), I can confirm that I had a similar issue on test upgrades in Ubuntu (it might be the same on Windows): The Lucee Administrator were not fully deployed when upgrading with the full lucee- If you are finding the same issues, you might need to do the following:

ATTENTION: Make a backup of your Administrator Settings first. This will wipe all settings made through your Lucee Administrator (e.g. password, mappings, etc).

UPDATED thanks to @Zackster remarks below:
Step 1: Stop Lucee
Step 2: lucee-server.xml at path-to-lucee/tomcat/lucee-server/context/lucee-server.xml
Step 2: delete “lucee-server” directory
Step 3: restart Lucee and wait Lucee to fully redeploy your “lucee-server” folder.
Step 4: copy the lucee-server.xml back to the path-to-lucee/tomcat/lucee-server/context/lucee-server.xml

that’s a bit extreme nuking that whole folder, you can backup the lucee-server.xml file to keep all your settings, we are investigating this problem

1 Like

stopping the server, deleting cfclasses and restarting seems to do the trick

For anyone having issues getting a 404 with the when accessing either /lucee/admin/server.cfm or /lucee/admin/web.cfm, the problem is that for some reason Lucee cannot find the “overview” page. This is the only administrator page that seems to be a problem and there appear to be several workarounds:

  • You can go manually alter the URL and go to any other admin page (e.g. /lucee/admin/server.cfm?action=server.cache). Every other page appears to work, just avoid the “overview” page.
  • Keep restarting Tomcat (or your servlet engine) until it works. Usually restarting Tomcat once is enough to get it to work, but sometimes I’ve had to restart multiple times.

Either way, it eventually will start working. From what I can tell, once it starts working it seems to be fine. However, I haven’t done enough testing to know if it might stop working again on a future restart of Tomcat.


In response to andreas:
I am sorry I was not clear about what was wrong. My bad!

The install does work. The apps come up and I can login and see no issue. I just cannot access the admin.

We chose to go with the light version and only use the extensions we need. With light, we absolutely did have the admin extension separate.

In response to Zackster:
The URL I have always used: https://[hostname]:[hostport]/[appname]/lucee/admin/server.cfm

Something I just realized this morning is the instances we have on our local developer workstations which are running Windows, the admin opens just fine. We have two different servers for dev and test as we are in the middle of upgrade. dev is RHEL8 and test is RHEL7. The admin with the above URL will not open…just 404 error.


Something hit me about what Zackseter said so I removed the [APPNAME] from the URL and the admin is again accessible.

The overview page just ways

Seriously, thank you all for helping work through this.


We only have in place a single docker build process, so that’s what we used to provide for this critical patch

our current docker image is latest java 11, latest tomcat 9 on top of a fully up to date ubuntu image with as few CVEs in the base ubuntu image as possible

you need to take into consideration and differentiate between OS patches and java patches, headline numbers are meaningless

If you want to reuse the older CVE ridden docker image, feel free to do some docker kung-fu yourself at top the old image and use that.

I don’t know why this works but I fixed the “requested action doesn’t exist” error on the overview page by installing and then uninstalling the Chart Extension.

Went to follow freddybob’s suggestion just now and the overview page is magically working again :face_with_raised_eyebrow:

I just published, this should solve


FYI This regression was just reported by a user updating from 5.3.10


Hi Zackster and all the community, sorry for my ignorance, but based on this information:

If our server is already running, how we temporarly hotfix it (while we make the necessary changes in our code and do all the battery of tests to be compatible with

Thank You!

Hi I tried the upgrade to but it breaks CFFTP

com.jcraft.jsch.JSchAlgoNegoFailException: Algorithm negotiation fail: algorithmName=“server_host_key” jschProposal=“ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256” serverProposal=“ssh-dss”

I had that issue also, I fixed it by stopping lucee for 120 seconds then starting her again

1 Like

that’s due to the upgraded jsch library, which has turned off older insecure algorithms by default

did you look in jira?"Algorithm%20negotiation%20fail*" there’s a workaround as per this advisory is patched against the CVE, so you are all good

1 Like