Security fix and new BER release

145 views
Skip to first unread message

Information Lucee

unread,
Aug 6, 2015, 8:45:35 AM8/6/15
to lucee-su...@googlegroups.com, lu...@googlegroups.com
There is a new security fix available for Lucee 4.5 on the stable and dev update provider you can install now, as is normal in this type of situation, we will not disclose the issue being addressed so as to protect our current user base, but it is recommended to update as soon as possible.

This security fix is available for our current stable release  (4.5.1.023) on the stable release channel and for our BER release (4.5.2.005) on the develop release channel.

For a manual installation you can download the core files from here (https://bitbucket.org/lucee/lucee/downloads)

Micha

Information Lucee

unread,
Aug 6, 2015, 8:48:53 AM8/6/15
to lucee-su...@googlegroups.com, lu...@googlegroups.com
We completely have forgotten to thank Pete Freitag from Foundeo (https://foundeo.com) to bring this security issue to our attention.

Thanks a lot!
The Lucee Team

Phil

unread,
Aug 6, 2015, 9:08:19 AM8/6/15
to Lucee, lucee-su...@googlegroups.com
Two quick bits of feedback:

1. Build 4.5.1.023 is not available at the bitbucket downloads page
2. The preview channel currently doesn't have 4.5.1.023 either (but the stable channel does)

Thanks.

Adam Cameron

unread,
Aug 6, 2015, 9:09:58 AM8/6/15
to Lucee, lucee-su...@googlegroups.com


On Thursday, 6 August 2015 13:45:35 UTC+1, Information Lucee wrote:
There is a new security fix available for Lucee 4.5 

Does this security issue also impact Railo? Or is it in code new to Lucee?

-- 
Adam 

Tom Chiverton

unread,
Aug 6, 2015, 9:36:19 AM8/6/15
to Lucee, lucee-su...@googlegroups.com
Can you not give us even the general area it might effect ? E.g. if you are not accepting a particular sort of request then you are safe.
What about impact - is this remote unauthenticated command execution as root ? I'm guessing not, so how much less bad is it ?

Without this how is anyone meant to make an informed choice about weather and when to apply the update ?

Tom

Michael Offner

unread,
Aug 6, 2015, 9:51:49 AM8/6/15
to lucee
@Phil 
4.5.1.023 is now on the bitbucket download page, for some reason the previous attempt to upload it failed.
we have also published 4.5.1.023 on the preview channel now.

@Adam
Yes this also affects Railo.

@Tom
This time we did a special release (4.5.1.023) that only is addressing the security issue for the current stable release (4.5.1.022). So you don't have to install anything else to get this fix.
The fix is addressing a XSS issue in the Lucee admin. The issue gives you no access to the system. 

Micha


--
See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/f2879cb8-ebfa-414c-b8c9-556276e10d17%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Tom Chiverton

unread,
Aug 6, 2015, 9:57:34 AM8/6/15
to lu...@googlegroups.com

On 6 August 2015 at 14:51, Michael Offner <mic...@lucee.org> wrote:
The fix is addressing a XSS issue in the Lucee admin. The issue gives you no access to the system. 


How is the XSS injected ? Probably a log file entry ?
If so, for instance, having  /lucee/ and /lucee-server/ access locked down by IP is no help ?


--
Tom

Michael Offner

unread,
Aug 6, 2015, 10:01:18 AM8/6/15
to lucee
if you have locked down "/lucee/" you are fine.

Micha

--
See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

Tom Chiverton

unread,
Aug 6, 2015, 10:04:04 AM8/6/15
to lu...@googlegroups.com
On 6 August 2015 at 15:01, Michael Offner <mic...@lucee.org> wrote:
if you have locked down "/lucee/" you are fine.


Cheers.
This means for most people there is no rush to patch. Certainly Pete's HackMyCf service will moan if you haven't restricted it's access :-)

If Lucee had some sort of standard security announcement email template, I'm sure one of the sections would be 'mitigations' and that nugget would have been in it.
 
--
Tom

Michael Offner

unread,
Aug 6, 2015, 10:10:13 AM8/6/15
to lucee
Sure we can improve our communication on this, luckily with have not that many security fixes ;-)
I'm happy that we had this time a security fix for the stable release, so you don't have to update to the latest BER release to get the fix.

Micha

--
See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

Tom Chiverton

unread,
Aug 6, 2015, 10:13:27 AM8/6/15
to lu...@googlegroups.com
On 6 August 2015 at 15:10, Michael Offner <mic...@lucee.org> wrote:
Sure we can improve our communication on this, luckily with have not that many security fixes ;-)
I'm happy that we had this time a security fix for the stable release, so you don't have to update to the latest BER release to get the fix.


Yeah, got that change of numbering scheme in just in time :-)
As long as things get better with time I'll not moan too much !

Tom

Pete Freitag

unread,
Aug 6, 2015, 11:22:57 AM8/6/15
to lu...@googlegroups.com
On Thu, Aug 6, 2015 at 10:03 AM, Tom Chiverton <tom.ch...@gmail.com> wrote:
On 6 August 2015 at 15:01, Michael Offner <mic...@lucee.org> wrote:
if you have locked down "/lucee/" you are fine.


Cheers.
This means for most people there is no rush to patch. Certainly Pete's HackMyCf service will moan if you haven't restricted it's access :-)

Yes it certainly will, and as of a few minutes ago it will also look for the absence of this patch as well.

--
Pete Freitag
https://foundeo.com/ - ColdFusion Consulting & Products
http://hackmycf.com - CFML Server Security Scanner

Pete Freitag

unread,
Aug 6, 2015, 11:37:51 AM8/6/15
to lu...@googlegroups.com
On Thu, Aug 6, 2015 at 9:51 AM, Michael Offner <mic...@lucee.org> wrote:
@Phil 
4.5.1.023 is now on the bitbucket download page, for some reason the previous attempt to upload it failed.
we have also published 4.5.1.023 on the preview channel now.

I only see the .lco file on the BitBucket downloads page: https://bitbucket.org/lucee/lucee/downloads are you going to add lucee-4.5.1.023-jars.zip?

I need that so I can update https://github.com/foundeo/ubuntu-nginx-lucee to install 4.5.1.023 instead of 4.5.1.022 by default. It would be even better if there were a 4.5-latest-jars.zip that always pointed to the latest version of the 4.5 branch :)
Reply all
Reply to author
Forward
0 new messages