An unauthenticated Remote Code Exploit chain (RCE) was found in the Lucee Admin code https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643
Upgrade to the latest stable releases 5.3.7.47, 5.3.6.68 or 5.3.5.96
This can be down via the Lucee Server Admin, under Services - > Updates
https://download.lucee.org/
Block access to the Lucee Administrator as recommended https://docs.lucee.org/guides/deploying-lucee-server-apps/securing-lucee-server-apps/lucee-lockdown-guide.html
https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal
If you have any questions or comments about this advisory:
Impact
An unauthenticated Remote Code Exploit chain (RCE) was found in the Lucee Admin code
https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643
Patches
Upgrade to the latest stable releases 5.3.7.47, 5.3.6.68 or 5.3.5.96
This can be down via the Lucee Server Admin, under Services - > Updates
https://download.lucee.org/
Workarounds
Block access to the Lucee Administrator as recommended
https://docs.lucee.org/guides/deploying-lucee-server-apps/securing-lucee-server-apps/lucee-lockdown-guide.html
References
https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md
https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal
For more information
If you have any questions or comments about this advisory: