Security fix and new BER release

There is a new security fix available for Lucee 4.5 on the stable and dev
update provider you can install now, as is normal in this type of
situation, we will not disclose the issue being addressed so as to protect
our current user base, but it is recommended to update as soon as possible.

This security fix is available for our current stable release (4.5.1.023)
on the stable release channel and for our BER release (4.5.2.005) on the
develop release channel.

For a manual installation you can download the core files from here (
https://bitbucket.org/lucee/lucee/downloads)

Micha

Can you not give us even the general area it might effect ? E.g. if you are
not accepting a particular sort of request then you are safe.
What about impact - is this remote unauthenticated command execution as
root ? I’m guessing not, so how much less bad is it ?

Without this how is anyone meant to make an informed choice about weather
and when to apply the update ?

TomOn Thursday, August 6, 2015 at 1:45:35 PM UTC+1, Information Lucee wrote:

There is a new security fix available for Lucee 4.5 on the stable and dev
update provider you can install now, as is normal in this type of
situation, we will not disclose the issue being addressed so as to protect
our current user base, but it is recommended to update as soon as possible.

This security fix is available for our current stable release (4.5.1.023)
on the stable release channel and for our BER release (4.5.2.005) on the
develop release channel.

For a manual installation you can download the core files from here (
https://bitbucket.org/lucee/lucee/downloads)

Micha

@Phil
4.5.1.023 is now on the bitbucket download page, for some reason the
previous attempt to upload it failed.
we have also published 4.5.1.023 on the preview channel now.

@Adam
Yes this also affects Railo.

@Tom
This time we did a special release (4.5.1.023) that only is addressing the
security issue for the current stable release (4.5.1.022). So you don’t
have to install anything else to get this fix.
The fix is addressing a XSS issue in the Lucee admin. The issue gives you
no access to the system.

MichaOn Thu, Aug 6, 2015 at 3:36 PM, Tom Chiverton <@Tom_Chiverton> wrote:

Can you not give us even the general area it might effect ? E.g. if you
are not accepting a particular sort of request then you are safe.
What about impact - is this remote unauthenticated command execution as
root ? I’m guessing not, so how much less bad is it ?

Without this how is anyone meant to make an informed choice about weather
and when to apply the update ?

Tom

On Thursday, August 6, 2015 at 1:45:35 PM UTC+1, Information Lucee wrote:

There is a new security fix available for Lucee 4.5 on the stable and dev
update provider you can install now, as is normal in this type of
situation, we will not disclose the issue being addressed so as to protect
our current user base, but it is recommended to update as soon as possible.

This security fix is available for our current stable release
(4.5.1.023) on the stable release channel and for our BER release
(4.5.2.005) on the develop release channel.

For a manual installation you can download the core files from here (
https://bitbucket.org/lucee/lucee/downloads)

Micha


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your
ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/f2879cb8-ebfa-414c-b8c9-556276e10d17%40googlegroups.com
https://groups.google.com/d/msgid/lucee/f2879cb8-ebfa-414c-b8c9-556276e10d17%40googlegroups.com?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.

Sure we can improve our communication on this, luckily with have not that
many security fixes :wink:
I’m happy that we had this time a security fix for the stable release, so
you don’t have to update to the latest BER release to get the fix.

Yeah, got that change of numbering scheme in just in time :slight_smile:
As long as things get better with time I’ll not moan too much !

TomOn 6 August 2015 at 15:10, Michael Offner <@Michael_Offner> wrote:

Two quick bits of feedback:

  1. Build 4.5.1.023 is not available at the bitbucket downloads page
  2. The preview channel currently doesn’t have 4.5.1.023 either (but the
    stable channel does)

Thanks.On Thursday, August 6, 2015 at 10:45:35 PM UTC+10, Information Lucee wrote:

There is a new security fix available for Lucee 4.5 on the stable and dev
update provider you can install now, as is normal in this type of
situation, we will not disclose the issue being addressed so as to protect
our current user base, but it is recommended to update as soon as possible.

This security fix is available for our current stable release (4.5.1.023)
on the stable release channel and for our BER release (4.5.2.005) on the
develop release channel.

For a manual installation you can download the core files from here (
https://bitbucket.org/lucee/lucee/downloads)

Micha

We completely have forgotten to thank Pete Freitag from Foundeo (
https://foundeo.com http://foundeo.com/) to bring this security issue to
our attention.

Thanks a lot!
The Lucee TeamOn Thu, Aug 6, 2015 at 2:45 PM, Information Lucee <@Information_Lucee> wrote:

There is a new security fix available for Lucee 4.5 on the stable and dev
update provider you can install now, as is normal in this type of
situation, we will not disclose the issue being addressed so as to protect
our current user base, but it is recommended to update as soon as possible.

This security fix is available for our current stable release (4.5.1.023)
on the stable release channel and for our BER release (4.5.2.005) on the
develop release channel.

For a manual installation you can download the core files from here (
https://bitbucket.org/lucee/lucee/downloads)

Micha

if you have locked down “/lucee/” you are fine.

Cheers.
This means for most people there is no rush to patch. Certainly Pete’s
HackMyCf service will moan if you haven’t restricted it’s access :slight_smile:

Yes it certainly will, and as of a few minutes ago it will also look for
the absence of this patch as well.On Thu, Aug 6, 2015 at 10:03 AM, Tom Chiverton <@Tom_Chiverton> wrote:

On 6 August 2015 at 15:01, Michael Offner <@Michael_Offner> wrote:


Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner

Sure we can improve our communication on this, luckily with have not that
many security fixes :wink:
I’m happy that we had this time a security fix for the stable release, so
you don’t have to update to the latest BER release to get the fix.

MichaOn Thu, Aug 6, 2015 at 4:03 PM, Tom Chiverton <@Tom_Chiverton> wrote:

On 6 August 2015 at 15:01, Michael Offner <@Michael_Offner> wrote:

if you have locked down “/lucee/” you are fine.

Cheers.
This means for most people there is no rush to patch. Certainly Pete’s
HackMyCf service will moan if you haven’t restricted it’s access :slight_smile:

If Lucee had some sort of standard security announcement email template,
I’m sure one of the sections would be ‘mitigations’ and that nugget would
have been in it.


Tom


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your
ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAKS-b5t_xkotFUqMAY-BURmJkcp4DqyNhAZhwsGL2dk%2BRezYUw%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAKS-b5t_xkotFUqMAY-BURmJkcp4DqyNhAZhwsGL2dk%2BRezYUw%40mail.gmail.com?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.

The fix is addressing a XSS issue in the Lucee admin. The issue gives you
no access to the system.

How is the XSS injected ? Probably a log file entry ?
If so, for instance, having /lucee/ and /lucee-server/ access locked down
by IP is no help ?On 6 August 2015 at 14:51, Michael Offner <@Michael_Offner> wrote:


Tom

There is a new security fix available for Lucee 4.5

Does this security issue also impact Railo? Or is it in code new to Lucee?On Thursday, 6 August 2015 13:45:35 UTC+1, Information Lucee wrote:


Adam

@Phil
4.5.1.023 is now on the bitbucket download page, for some reason the
previous attempt to upload it failed.
we have also published 4.5.1.023 on the preview channel now.

I only see the .lco file on the BitBucket downloads page:
https://bitbucket.org/lucee/lucee/downloads are you going to
add lucee-4.5.1.023-jars.zip?

I need that so I can update GitHub - foundeo/ubuntu-nginx-lucee: Script for standing up a Lucee server using nginx and Tomcat on Ubuntu
to install 4.5.1.023 instead of 4.5.1.022 by default. It would be even
better if there were a 4.5-latest-jars.zip that always pointed to the
latest version of the 4.5 branch :)On Thu, Aug 6, 2015 at 9:51 AM, Michael Offner <@Michael_Offner> wrote:


Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner

if you have locked down “/lucee/” you are fine.

MichaOn Thu, Aug 6, 2015 at 3:57 PM, Tom Chiverton <@Tom_Chiverton> wrote:

On 6 August 2015 at 14:51, Michael Offner <@Michael_Offner> wrote:

The fix is addressing a XSS issue in the Lucee admin. The issue gives you
no access to the system.

How is the XSS injected ? Probably a log file entry ?
If so, for instance, having /lucee/ and /lucee-server/ access locked down
by IP is no help ?


Tom


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your
ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAKS-b5tE3acCcbf15-nZNAvkXYbpNinjtv4-o5ONsrJ7w10Y8g%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAKS-b5tE3acCcbf15-nZNAvkXYbpNinjtv4-o5ONsrJ7w10Y8g%40mail.gmail.com?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.