Lucee Vulnerability - CVE-2023-38693

In response to the Lucee vulnerabilities CVE-2023-38693 within Lucee environments, a software we use to power our intranet solution, IC has tested a series of updates to mitigate the problem. This impacts all of our Intranet customers. For more details about the problem reported by Lucee, click here to go to Lucee’s website. 

 

Intranet Connections has tested several safe version recommended by Lucee organization. We have found the version 5.3.12.1 to be the safest version of Lucee to run with our software. 

 

If you are currently on version 15.0 or 15.5 of our product, this is our recommendation:

  1. For Virtual Machines (VMs), take a snapshot or checkpoint of the server to have a smooth rollback option available.
  2. Through the Lucee Server Administrator > Update webpage, update to 5.3.12.1. 
    1. Click the Releases tab.
    2. From the drop-down menu, choose 5.3.12.1
    3. Click Execute
  3. Re-install any relevant SSL certificates through the Lucee Server Administrator > SSL certificates page. (If your website runs on https, your AD sync connection uses secure LDAP, you are using SSL for your mail notifications, or you embedded external https content into your intranet)
    1. Type in the domain for your certificate
    2. Type in the port number (443, 587, etc.)
    3. Click List.  Inspect the results.
    4. Click Install.
  4. Downgrade OSWASP 2.2.4.8 and Compress Tags 1.0.0.2 extension through the Lucee Server Administrator > Applications > Compress Tags to 1.0.0.2. This application is used when you try to apply a hotfix or a patch to the intranet.
    1. Click the Releases tab.
    2. From the drop-down menu, choose 1.0.0.2
    3. Click update / downgrade.
  5. Restart the web server.
  6. If you run into errors with the search after the Lucee update, please apply the hotfix 1740 to fix the global search issue you may encounter after these steps.  You must be on version 15.0.10 or 15.0.11 or 15.5.2 to apply this hotfix. Click here to learn about the patching process.

If you are currently on any version below 15.0, please upgrade to 15.0.8, click here download the installation package. To apply the recommendation above. Click here for more information about the upgrade process.

Related articles

Powered by Zendesk