@Zackster We are considering if we should update, since it will be a tedious process in our case, while at the same time we will be phasing out the software that includes Lucee soon.
Therefore I am looking for more information to assess the risk of this vulnerability. Is more information available regarding the CVE? What exactly is the vulnerability? Is it known if is has been exploited already?
I think weād all 
a full write up at some point, as I donāt see an obvious exploit chain from āsvg can contain local file contentā per NVD - CVE-2023-38633 to compromise of Lucee (via admin ?)
There is a write up coming, however, we have a few open regressions with 5.4.3 which have all been addressed 5.4.3.7-SNAPSHOT, once that is tested and a new stable comes out, then a write up will be posted
2 Likes
Just adding a note that CVE-2023-38633 is an unrelated vulnerability. Too many numbers, and too easy to get them jumbled. 
This vulnerability is CVE-2023-38693, and the CVE record is still āreserved.ā
3 Likes
Is there any technical information available for the type of vulnerability that was found? I understand that can be sensitive, but at the same time I would like to evaluate the threat to know the priority for patching.
If I was running Lucee for only internal apps behind a firewall is it still a critical or a high?
Alternately, if you say the priority is uber-critical no matter what, iāll take that on faith 
I am currently using Lucee 5.3.7.48, and attempting to upgrade to one of the versions you mentioned. When doing so, I am getting the following error when attempting to use cfspreadsheet (POI library): > Lucee 5.4.3.2 Error (org.apache.poi.POIXMLException)Messagejava.lang.reflect.InvocationTargetException Stacktrace The Error Occurred in
/org/cfpoi/spreadsheet/Spreadsheet.cfc: line 2343
Does anyone know a solution to this?
Hi,
I would start by looking in the Bundles section in the admin area to see if there is a jar file conflict somewhere about the cfspreadsheet plugin.
We had a similar error (java.lang.reflect.InvocationTargetException, but related to owasp.esapi) few days after an upgrade of Lucee, and finally it fixed again after downgrading the plugin and upgrading it few times + few reboots. It was very strange to be honest. Not sure why this happened and why it came back ok.
My search for a solution had brought me here : [LDEV-3975] - Lucee
And if it can reassure you or guide you in the right direction, we have upgraded and cfspreadsheet works very well without throwing any error.
Please install the latest stable release first. That is 5.4.3.15
1 Like
May I know for 5.3.10.97, what version we shall update to?
Thanks for the response! I have tried your suggestions, but unfortunately for me itās still not working. Maybe I need to upgrade + reboot a few more times.
Itās good to know you have cfspreadsheet working fine, at least thereās hope!
Here are the steps I have taken:
- Uninstall cfspreadsheet Extension
- Upgrade Lucee to 5.4.3.15
- Install cfspreadsheet version 3.0.3 (there is only one version available)
I am still receiving the error I pasted above. Here is more output of the StackTrace:
lucee.runtime.exp.NativeException: java.lang.reflect.InvocationTargetException at org.apache.poi.POIXMLFactory.createDocumentPart(POIXMLFactory.java:63) at org.apache.poi.POIXMLDocumentPart.read(POIXMLDocumentPart.java:625) at org.apache.poi.POIXMLDocument.load(POIXMLDocument.java:186) at org.apache.poi.xssf.usermodel.XSSFWorkbook.(XSSFWorkbook.java:260) at org.apache.poi.ss.usermodel.WorkbookFactory.create(WorkbookFactory.java:181) at org.apache.poi.ss.usermodel.WorkbookFactory.create(WorkbookFactory.java:140) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at lucee.runtime.reflection.pairs.MethodInstance.invoke(MethodInstance.java:56) at lucee.runtime.java.JavaObject.call(JavaObject.java:265) at lucee.runtime.java.JavaObject.call(JavaObject.java:287) at lucee.runtime.util.VariableUtilImpl.callFunctionWithoutNamedValues(VariableUtilImpl.java:787) at lucee.runtime.PageContextImpl.getFunction(PageContextImpl.java:1775) at org.cfpoi.spreadsheet.spreadsheet_cfc$cf.udfCall8(/org/cfpoi/spreadsheet/Spreadsheet.cfc:2343) at org.cfpoi.spreadsheet.spreadsheet_cfc$cf.udfCall(/org/cfpoi/spreadsheet/Spreadsheet.cfc) at lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:112) at lucee.runtime.type.UDFImpl._call(UDFImpl.java:350) at lucee.runtime.type.UDFImpl.callWithNamedValues(UDFImpl.java:213) at lucee.runtime.type.scope.UndefinedImpl.callWithNamedValues(UndefinedImpl.java:804) at lucee.runtime.util.VariableUtilImpl.callFunctionWithNamedValues(VariableUtilImpl.java:866)
Do you have any other suggestions as to what I can try? I appreciate any help you are able to offer
Also, fwiw here are the only things I see in the Bundle section regarding āspreadsheetā:
Do you see anything that is wrong with either of these?
It would be better you open a new thread for this topic. I downloaded the https://raw.githubusercontent.com/Leftbower/cfspreadsheet-lucee-5/master/cfspreadsheet-lucee-5.lex and put it in the deploy directory. It will be installed automatically.
1 Like
URGENT ADVICE
if you havenāt already upgraded to a version listed above, you server is vulnerable and we will be finally publishing the source code and a writeup next week
4 Likes
We are currently running version 5.3.2.0077-pI0
Can we upgrade directly to version 5.4.3.2 from the the version listed above? My apologies in advance as Iām new to this process and have never done an upgrade before.
Thank you in advance!
You should test it in advance but yes, you can upgrade directly, there is no reason to upgrade in steps.
I would not upgrade to 5.4.3.2 version because it has known issues. Instead upgrade to the latest stable release for version 5.4.3.x which I think is currently 5.4.3.16.
Lucee version 6.0 has also been released it seems. FYI.
2 Likes
So it looks like 5.4.3.15 or 16 is the latest stable version.
Can someone confirm this below is the process for upgrading?
If Iām reading correct - the upgrade process I should take is:
- Snapshot the server in case I need to roll it back
- Download the .lco file and put it into the 'lucee-server\deploy folder
- Download the ālucee.jarā from the Lucee downloads page.
- Stop your Lucee Server (the Servlet Engine).
- Replace the existing lucee.jar, with the downloaded version.
- Restart your Lucee Server.
Might be better to re-install if yours is old. There were the Java library updates in Lucee and then there are Tomcat and JRE security updates. The only gotcha I had in Ubuntu was getting the modcfml SharedKey correct. I just stopped Lucee, renamed old directory, re-intalled, fixed key.