I’m part of an operation’s team at our company that’s been tasked with tracking and remediating Lucee security vulnerabilities. Can someone let me know if there’s a security bug mailing list or a specific site or location that I can search for any new vulnerabilities? I’ve been asked to document a process and also keep track of any security vulnerabilities that may pop up.
Thanks, Shawn
@sczehnder If there is a release containing a security fix, LAS will post about it here when it is released. Otherwise, you can follow any site that publishes CVEs. for example, @pfreitag has built this amazing site which will E-mail you if any new vulns come out.
Awesome! Thank you.
Thanks Brad!
@sczehnder when you start digging in, you’ll notice though that not all Lucee vulnerabilities have been assigned a CVE number. So stack.watch should hopefully work for this going forward, assuming future lucee vulnerabilities will get a CVE assigned to them.
I’ll add that another tool that I have also built, and works for this purpose is HackMyCF. It can track your lucee version number and let you know when you have a vulnerable version. Besides lucee, it can also watch versions of Java, Tomcat, Undertow, etc. I also manually send out emails to all customers whenever there is a new Lucee or Adobe ColdFusion vulnerability.
Hope that helps!
Thank you. I like the thought of having multiple places to check along with alerts coming out.
We publish/file/report all our CVE advisories thru GitHub, via the lucee announcements mailing list and here of course.
Anyone wanting to report a security vulnerability, please use security@lucee.org
Running the latest stable release and following the lockdown guide is the recommended best practice.
With each release we add in additional security hardening, but only major security fixes may be backported to older recent releases.
@pfreitag didn’t know that service, IT’s AWESOME! Thank you so much for having that created! Just last year I had to do some adaptations regarding some EU data protection issues,when I stumbled on https://content-security-policy.com/ to find out later, that this great website is also created by YOU and foundeo. Really, Pete, lot of thanks for providing such immense tools. Even don’t want to mention cfdocs.org, it became a piece of my daily tools!
get a room you two 