Lucee Vulnerability Alert - November 2020, CVE-2021-21307

JoyMiller · November 23, 2020, 4:26pm

We are aware of a potential security vulnerability related to the Lucee Admin. Details of how to exploit this vulnerability will be made public on December 5th, 2020 by a third party, so we are alerting Lucee users to address this potential issue now.

If your Lucee Admin is already locked down, this is not an issue. To lock down your admin, follow the recommendations in the Lucee Lockdown Guide.

In addition, we strongly recommend updating to one of the following stable releases which have been patched to address the vulnerability:

5.3.5.96
5.3.6.68
5.3.7.47

(Note: JavaMail has been updated to 1.6.2 as this was preventing many people from updating.)

We do not have an installer for 5.3.7 yet and we do not have one for these updates either, so you will need to either update via your (locked down) Lucee Server Admin, or simply drop the relevant Lucee.jar (ie. download https://cdn.lucee.org/lucee-5.3.7.47.jar from https://download.lucee.org/ under Release) into your \tomcat\lucee-server\deploy directory to auto update.

Zackster · November 23, 2020, 4:38pm

pfreitag · November 23, 2020, 4:58pm

Thanks for publishing the advisory Joy! I’ve updated the HackMyCF service to alert customers for the vulnerable versions of Lucee, though it would have already been warning them if their Lucee admin was public.

I realize that Lucee 4.5 is no longer supported so there won’t be an update, but for the purposes of anyone who might still be using it, do you know if that version is also vulnerable?

Thank You!
Pete Freitag
Foundeo Inc.

Zackster · November 23, 2020, 5:15pm

I don’t believe Lucee 4.5 is affected.

But as usual, if the admin isn’t locked down, it should be considered vulnerable unless it’s locked down.

Anyone locking down access to the admin should make sure their webserver restrictions apply to every site, not just for configured sites, i.e. not just per virtualhost.

There is also an environment variable, LUCEE_ADMIN_ENABLED=false which disables access to the admin altogether, which was added in 5.3.3.45 (it does require the Lucee to be restarted to pick up any changes to this environment variable)

Zackster · December 7, 2020, 11:00am

here’s a nice upgrade success story

David_R · December 9, 2020, 11:23pm

Thanks a lot, we have updated all installation and made tomcat optimization.

Zackster · January 15, 2021, 6:09pm

Here is the story about the vulnerability

Zackster · February 9, 2021, 12:27pm

Here is the CVE-2021-21307

andreas · February 9, 2021, 2:42pm

I know this is a litte bit late, but there is a part of the installation video series that show how to lock down the admin for a more visual step by step approach:

Windows Server 2019 and IIS:

Ubuntu 20.04LTS with Apache2:

andreas · August 20, 2021, 5:09pm

To all who still haven’t updated their Lucee version or closed the public internet access to their Lucee administrators, now it’s really time to get it done. Exploit code has been submited for Metasploit a few days ago. Please see Lucee Administrator imgProcess.cfm Arbitrary File Write ≈ Packet Storm

LionelHolt · July 1, 2022, 5:43pm

Here’s an update for Apache 2.4:

<Location "/lucee/">
  Require ip 127.0.0.1
</Location>

cPanel root users can apply this globally via:

WHM > Service Configuration > Apache Configuration > Include Editor > Post VirtualHost Include

Zackster · November 28, 2022, 12:01pm

JFreeman · April 27, 2023, 5:51pm

Just FYI, this old ciacfug.org link has been taken over by spyware/adware site

Zackster · April 27, 2023, 5:59pm

thanks, updated the link to Updating Lucee as Part of a Vulnerability Alert Response - Painless as Promised, or ???