Remote Code Exploit in Lucee Admin

Critical

zspitzer published GHSA-2xvv-723c-8p7r

Feb 9, 2021

Package

Lucee Admin

Affected versions

< 5.3.7.47

Patched versions

5.3.5.96, 5.3.6.68, 5.3.7.47

Description

Impact

An unauthenticated Remote Code Exploit chain (RCE) was found in the Lucee Admin code
https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643

Patches

Upgrade to the latest stable releases 5.3.7.47, 5.3.6.68 or 5.3.5.96

This can be down via the Lucee Server Admin, under Services - > Updates

https://download.lucee.org/

Workarounds

Block access to the Lucee Administrator as recommended
https://docs.lucee.org/guides/deploying-lucee-server-apps/securing-lucee-server-apps/lucee-lockdown-guide.html

References

https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md
https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal

For more information

If you have any questions or comments about this advisory:

Follow up on the mailing list https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643
Email us at [email protected]