Is there documentation or a way to find out which version of Tomcat is packaged with each version of Lucee?
I’m looking into a vulnerability that was reported at an installation. All I was given was this, “A read/include file vulnerability has been discovered in the AJP connector. An unauthenticated remote attacker could exploit this vulnerability to read web application files from a vulnerable server. In cases where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code in various file types and thus obtain remote code execution (RCE).”
It was suggested that, “upgrade Tomcat server to version 7.0.100, 8.5.51, 9.0.31”.
The site is using Lucee 5, but I haven’t checked the exact version yet (probably 5.3 or 5.4). I was thinking of just upgrading Lucee, which would update Tomcat.
There are a few ways to see which version of Tomcat you have:
Login to Lucee Admin on the Server page look under the label: Servlet Container
Look at the logs catalina.out should report the version number when the server starts up
Tools such as HackMyCF can let you know what version of Tomcat you are running and let you know if the version you are running is vulnerable. This is a commercial tool made by my company.
One thing to note is that unlike ACF, when you update Lucee using the Lucee admin it does not update Tomcat, you have to do that manually. It would only update tomcat if you were to use the Lucee installer and install it again.
We would probably uninstall the current version of Lucee and reinstall the new version from the installer. That has been our practice to date when upgrading Lucee.
Is there a list of each lucee release with the corresponding version of Tomcat embedded in that release? Or can I go to each lucee release and easily determine the associated Tomcat version before installing?
We need to fix some Lucee sites with the TOMCAT CVE-2020-1938: Ghostcat (AJP) vulnerability. Some of these sites have 5.3 and 5.4 versions of Lucee.
My first choice would be to simply update to the latest version of 5.3.x and 5.4.x, but only if tomcat were updated (with the AJP fix). Tomcat 8.5.51 or newer would be needed. I can see some of our existing sites have 8.5.31.
My second choice would be to swap out tomcat, but I can see from many posts that it can be complicated.
I have a bunch of sites to do and looking for a process that is easy.