We are aware of a potential security vulnerability related to the Lucee Admin. Details of how to exploit this vulnerability will be made public on December 5th, 2020 by a third party, so we are alerting Lucee users to address this potential issue now.

image1240×698 333 KB

If your Lucee Admin is already locked down, this is not an issue. To lock down your admin, follow the recommendations in the Lucee Lockdown Guide.

In addition, we strongly recommend updating to one of the following stable releases which have been patched to address the vulnerability:

5.3.5.96
5.3.6.68
5.3.7.47

(Note: JavaMail has been updated to 1.6.2 as this was preventing many people from updating.)

We do not have an installer for 5.3.7 yet and we do not have one for these updates either, so you will need to either update via your (locked down) Lucee Server Admin, or simply drop the relevant Lucee.jar (ie. download https://cdn.lucee.org/lucee-5.3.7.47.jar from https://download.lucee.org/ under Release) into your \tomcat\lucee-server\deploy directory to auto update.

Thanks for publishing the advisory Joy! I’ve updated the HackMyCF service to alert customers for the vulnerable versions of Lucee, though it would have already been warning them if their Lucee admin was public.

I realize that Lucee 4.5 is no longer supported so there won’t be an update, but for the purposes of anyone who might still be using it, do you know if that version is also vulnerable?

Thank You!
Pete Freitag
Foundeo Inc.

I don’t believe Lucee 4.5 is affected.

But as usual, if the admin isn’t locked down, it should be considered vulnerable unless it’s locked down.

Anyone locking down access to the admin should make sure their webserver restrictions apply to every site, not just for configured sites, i.e. not just per virtualhost.

There is also an environment variable, LUCEE_ADMIN_ENABLED=false which disables access to the admin altogether, which was added in 5.3.3.45 (it does require the Lucee to be restarted to pick up any changes to this environment variable)

here’s a nice upgrade success story

Thanks a lot, we have updated all installation and made tomcat optimization.

Here is the story about the vulnerability

Here is the CVE-2021-21307

I know this is a litte bit late, but there is a part of the installation video series that show how to lock down the admin for a more visual step by step approach:

Windows Server 2019 and IIS:

Ubuntu 20.04LTS with Apache2:

To all who still haven’t updated their Lucee version or closed the public internet access to their Lucee administrators, now it’s really time to get it done. Exploit code has been submited for Metasploit a few days ago. Please see Lucee Administrator imgProcess.cfm Arbitrary File Write ≈ Packet Storm

Here’s an update for Apache 2.4:

<Location "/lucee/">
  Require ip 127.0.0.1
</Location>

cPanel root users can apply this globally via:

WHM > Service Configuration > Apache Configuration > Include Editor > Post VirtualHost Include