We are trying to apply 5.4.3.2 to 5.4.2.17. Starting of course with dev & test environments.
We do not use the admin or the .lco when applying patches. We replace the jar in lib. Normally we just use the light jar, but tried the fat jar in case that was our issue to no avail.
Every single attempt, the admin will not come up. We get an HTTP ERROR 404 when trying to hit it. We did try dropping the admin lco in the deploy folder again and that did not work either.
Normally applying patches is a 5 minutes per server and is the most stable maintenance we perform but this one has stumped us.
@OKliewer Iâm not sure Iâm understanding your post correctly.
Is the issue that you canât access the admin, or that you canât upgrade?
The lucee light version doesnât have any extension, so it doesnât have any Lucee Administrator (which is an extension).
If I want to install the default lucee jar and have issues like youâre having, iâd do the following:
Important: The steps below will also wipe out previous settings saved to your Web-/Server-Administrators, so if you had any settings saved there, do a settings export with CommndBox cfconfig tool as backup or back them up differently (snapshot, image or whatever).
stop Lucee service/instance,
remove the old lucee.jar from the lib folder
drop the new lucee.jar into the lib folder
remove the directory /path-to-lucee-installation/tomcat/lucee-server
remove the web-inf folder of each web-context(usually in the wwwroot of your application)
restart Lucee and wait for the contexts to be created
This will deploy a new and clean lucee-server directory and also the web-inf context folders.
There seems to be a substantial change to the Docker image between 5.3.9.166 and 5.3.9.173. Hereâs the Docker hub scan results of two images of our app that differ only in the Lucee image version:
(1.19 is 5.3.9.166, 1.20 is 5.3.9.173)
That seems to be a big change. Have you changed anything other that the mitigation for this CVE in this image? I note there was a 5.3.9.172 between .166 and 1.73 too: I will try to dig out a list of what went into .172 and check how that stuff might be likely to change the base image.
Update
I see thereâs also a 5.3.9.170, so checked that too.
Additionally, after seeing a thread on Slack by @dswitzer, who had issues within the Lucee Administrator (not being able to load certain administrator pages), I can confirm that I had a similar issue on test upgrades in Ubuntu (it might be the same on Windows): The Lucee Administrator were not fully deployed when upgrading with the full lucee-5.4.3.2.jar. If you are finding the same issues, you might need to do the following:
ATTENTION: Make a backup of your Administrator Settings first. This will wipe all settings made through your Lucee Administrator (e.g. password, mappings, etc).
UPDATED thanks to @Zackster remarks below:
Step 1: Stop Lucee
Step 2: lucee-server.xml at path-to-lucee/tomcat/lucee-server/context/lucee-server.xml
Step 2: delete âlucee-serverâ directory
Step 3: restart Lucee and wait Lucee to fully redeploy your âlucee-serverâ folder.
Step 4: copy the lucee-server.xml back to the path-to-lucee/tomcat/lucee-server/context/lucee-server.xml
For anyone having issues getting a 404 with the when accessing either /lucee/admin/server.cfm or /lucee/admin/web.cfm, the problem is that for some reason Lucee cannot find the âoverviewâ page. This is the only administrator page that seems to be a problem and there appear to be several workarounds:
You can go manually alter the URL and go to any other admin page (e.g. /lucee/admin/server.cfm?action=server.cache). Every other page appears to work, just avoid the âoverviewâ page.
Keep restarting Tomcat (or your servlet engine) until it works. Usually restarting Tomcat once is enough to get it to work, but sometimes Iâve had to restart multiple times.
Either way, it eventually will start working. From what I can tell, once it starts working it seems to be fine. However, I havenât done enough testing to know if it might stop working again on a future restart of Tomcat.
In response to andreas:
I am sorry I was not clear about what was wrong. My bad!
The install does work. The apps come up and I can login and see no issue. I just cannot access the admin.
We chose to go with the light version and only use the extensions we need. With light, we absolutely did have the admin extension separate.
In response to Zackster:
The URL I have always used: https://[hostname]:[hostport]/[appname]/lucee/admin/server.cfm
Something I just realized this morning is the instances we have on our local developer workstations which are running Windows, the admin opens just fine. We have two different servers for dev and test as we are in the middle of upgrade. dev is RHEL8 and test is RHEL7. The admin with the above URL will not openâŚjust 404 error.
We only have in place a single docker build process, so thatâs what we used to provide for this critical patch
our current docker image is latest java 11, latest tomcat 9 on top of a fully up to date ubuntu image with as few CVEs in the base ubuntu image as possible
you need to take into consideration and differentiate between OS patches and java patches, headline numbers are meaningless
If you want to reuse the older CVE ridden docker image, feel free to do some docker kung-fu yourself at top the old image and use that.
I donât know why this works but I fixed the ârequested action doesnât existâ error on the 5.4.3.2 overview page by installing and then uninstalling the Chart Extension.
Hi Zackster and all the community, sorry for my ignorance, but based on this information:
If our server is already running 5.3.8.237, how we temporarly hotfix it (while we make the necessary changes in our code and do all the battery of tests to be compatible with 5.4.3.2)?
