[Looking for Charlie's main web site?]

Recent critical Lucee security vulns: make sure you're protected, finding out more about them

There has been important news released (this week and last week) about a critical Lucee security vuln (an RCS or remote code execution vuln). You'll want to make sure your Lucee instances are protected either by updates or configuration (or both). There are actually 3 matters to beware.

The first news, shared last week (Feb 15)

Let me note first that I learned of the matter when a blog post was shared a week ago by Project Discovery (a group of responsible researchers) discussing how they had found the vuln, and indeed on Apple servers (running Lucee). The blog post offered ample detail on the matter.

I immediately posted the news Lucee developer forum/discourse, sharing the link to the post--and clarifying that the title of the post referring to Apple ("Hello Lucee! Let us hack Apple again?") was NOT about MacOS, and that this seemed an important issue of concern to ALL using Lucee.

Sadly, days passed with no response (from anyone there, users or folks running Lucee), and I was torn about pressing the point further. (Was I misreading the blog post? Was it really not that serious?)

New info, shared yesterday and today (Feb 22)

Then yesterday CF security researcher Brian Reilly released his own blog post on the matter, with still more info, including code to test things and discussions of the Lucee versions affected, and updates/configuration changes to consider.

Finally, today Pete Frietag also released a post with still more info and details (and more example code you can use to test your server), and configure protections. Pete had actually shared the info yesterday with folks who use his wonderful HackMyCF service, and his post today brings the details to everyone, which is wonderful. (And Pete's post also mentions Brian's). Pete also shared a link to his post and Brian's in that Lucee forum thread I had started.

Mind your P's and Q's...or, why Lucee's cf_client_* cookie vuln is NOT the same issue as CF's _cfclient querystring vuln

This section is a quick update to my original post. I had meant to add another point of clarification.

You will read in the resources linked to here that one aspect of this newly discovered Lucee vulnerability has to do with Lucee's use (and surprising processing) of a cookie whose name starts with "cf_client_".

To be clear, this is NOT related to ColdFusion's similarly-named but VERY different _cfclient querystring. Let me explain: folks following the CF security vulnerabilities of last year (and my past blog posts on the matter) may recall they had to do with a which bad actors hacking Adobe ColdFusion (2023, 2021, and earlier) by way of leveraging an aspect of the little-used "cfclient" mobile dev feature from CF11. And it didn't matter if you USED that feature: the bad guys were breaking in by way of an aspect of how it worked. For more on that matter, see posts such as my last one (with ample detail), A third Priority 1 CF security update has been released, Jul 19 2023, especially the section there, "A suggestion on blocking the _cfclient query string".

The point here is that THAT vuln had to do with a _cfclient querystring, while this Lucee vuln has to do with an unrelated cookie whose name starts with cf_client_. See those other posts for more on that. So yep, mind your p's and q's there.

(I even had these backward the first time I added this update--it's SO easily confused!)

Now, back to what I had originally shared in the rest of this post...

Where should you start?

I might suggest one starts with Pete's post, which helps make clear what Lucee versions are vulnerable, how to configure things, and how to test things. Then see Brian's, with still more (and some differently helpful) info, then finally the project discovery post (which is substantial, and perhaps too much for some to take in). Each will give you more and more grasp of the situation.

Finally, I'd recommend you follow that Lucee forum thread (or comments on Pete or Brian's posts) to learn more, as other Lucee folks share their experiences, observations, and questions.

While you could comment here, I'd think it better to comment in any of those other places as you see fit, since more Lucee users will be watching those.

To be clear, I only decided to offer this post now, to further spread the word--especially given the additional valuable information that has been shared. Hope that's helpful.

For more content like this from Charlie Arehart: Need more help with problems?
  • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
  • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
If you may have gotten my initial notification of this post, I want to note that I have added a new section above, "Mind your P's and Q's...or, why Lucee's cf_client_* cookie vuln is NOT the same issue as CF's _cfclient querystring vuln".
Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting