In response to a public blog post by a cybersecurity expert about a vulnerability within Lucee environments, a software we use to power our intranet solution, IC has tested a series of updates to mitigate the problem. This impacts customers who have their intranet available over the internet (not just locally inside their network). For more details about the problem reported about Lucee, click here to go to the related blog.
We recommend taking these three general steps to making your intranet server more secure:
- Set more complex passwords for your Lucee Server and Web Administrator panels.
- Update Lucee with extensions from the official provider.
- Block access to the Lucee Administrator panels when not actively changing configurations.
Update your Lucee Server Administrator and Web Administrator passwords
- If you have not done so before, take a snapshot of your server before making major changes.
- In a web browser, go to the Lucee Server Administrator. The address will consist of your intranet address plus “/lucee/admin/server.cfm”. For example, https://bestintranet.myintranet.com/lucee/admin/server.cfm
- Login with your password. If you lost your password, please see section “How to reset your Lucee Server password”.
- In the left menu, click Password.
- Skip this step if you already reset the password in step 3. In the section “Change Password”. Set the server password to a long and secure string of character. Be sure to note this in your password management system. This is your Lucee server password.
- In the section “Set default password”, type in a long and secure password for your web administrator instance(s). Click update. This password will be used in the next step.
- In the section “Reset Password”, select your web path from the dropdown menu in the field “Web”. The web path will typically end with “Intranet”. Click “Reset”. This is your Lucee Web password.
- In a different browser, try to log in to both the Lucee Server address (/lucee/admin/server.cfm) and Lucee Web Address (/lucee/admin/web.cfm).
If you lost your Lucee Server Admin password, you can reset it:
If you lose your password and get locked out of the Lucee Server Admin you can resolve the issue by following these steps:
-
- Find your lucee-server.xml file. (often located here: C:\sqbox\lucee\tomcat\lucee-server\context\lucee-server.xml)If you can’t find it you may need to do a file search on your server to locate the file.
- Locate the line that looks like: <cfLuceeConfiguration hspw="08ff01745878248e85425ea046533aa72e5595975c4f40ce85e1bae0ee9619b7" salt="505516A5-3EF1-4F43-8F0B7E0C2336CC91" version="4.5">
- Delete the attributes hspw & salt and save the file so that this line looks like this: <cfLuceeConfiguration version="4.5">
- Restart the “Apache Tomcat 9.0 Lucee” service from your "Services" control panel.
- Create a text file called password.txt and put your new password within it. Nothing else, just 1 line of text with your password.
- Place the password.txt file into your "Lucee Context" folder where lucee-server.xml is located.
- Go to the Server Admin URL in your browser: “/lucee/admin/server.cfm”
- You will be prompted to import a password file. Click the button to import the password.
Note: If this process doesn't work, then find the lucee-web.xml.cfm file in the Intranet/WEB-INF/lucee folder. Repeat steps 2 - 8 with this file.
Update Lucee with extensions/applications from the official provider
- If you have not done so before, take a snapshot of your webserver.
- Set your intranet into maintenance mode, by going to admin > security > maintenance mode and enabling the option.
- On the web server, open a browser and go to download.lucee.org.
- In the dropdown menu Release (under section History), choose 5.4.5.23. This is the highest supported version as of March 26, 2024. After the page refreshes, click “lucee.jar” to download the file for the updated version of Lucee.
- Under extensions, download the versions of extensions corresponding to this table:
Extension Name Highest compatible version SQL Server 12.4.2.jre11 Lucee Administrator 1.0.0.5 Hibernate 3.5.5.89 PDF 1.2.0.10 Axis 1 Webservices 1.4.0.37 Image 2.0.0.25 ESAPI 2.2.4.15 Compress 1.0.0.15 Ajax 1.0.0.5 Form 1.0.0.10 - Unblock all the files from the previous two steps in File Explorer
- Find the Lucee lib folder on the web server. Typically, it will be “c:\sqbox\lucee\lib” or “c:\lucee\lib”
- Turn off the “Apache Tomcat 9.0 Lucee” service.
- Copy the lucee.jar file into the lib folder. Remove any other .jar files from this folder. Start the “Apache Tomcat 9.0 Lucee” service.
- Find the “deploy” folder for Lucee. Typically, it will be “c:\sqbox\lucee\tomcat\lucee-server\deploy” or “c:\lucee\tomcat\lucee-server\deploy”.
- Copy the extension files into the deploy folder. Wait about 5 minutes. All the files should disappear from the folder as they are consumed by the Lucee application.
- Log into the Lucee Server admin and go to Applications. The extensions should match the list above. If there are any other extensions, take note of them, then remove them by clicking the extension and then clicking Uninstall. Your list should look something like this:
- Restart the “Apache Tomcat 9.0 Lucee” service then test your application.
- Turn off maintenance mode after you complete your testing.
Block access to the Lucee Administrator panels
After you apply these changes, you will not be able to access either Lucee Web Admin or Server Admin panels. Important note: Before applying hotfixes, patches, or upgrades, you must temporarily remove these “deny” sequences.
- On the web server, open Internet Information Services Manager (IIS).
- Under Connections, click the server’s name.
- In the middle pane, double-click Request Filtering. If you don’t see the option for Request Filtering, see the section “How To Enable Request Filtering”.
- Under Actions in the right pane, click Deny Sequence.
- Enter “lucee/admin/server.cfm”. Hit OK.
- Under Actions in the right pane, click Deny Sequence again.
- Enter “lucee/admin/web.cfm”. Hit OK.
At this point, you should not be able to access either admin panel. To get access again, temporarily remove the “deny” sequences from Request Filtering.
Important note: Always re-apply these “deny” sequences after you have finished your configuration changes in Lucee Admin.
How To Enable Request Filtering
If you can’t find the “Request Filtering” icon in your IIS Installation, it’s possible the feature needs to be installed.
- On your “Windows Server” open the “Server Manager” console app.
- Click Item (2) – Add roles and features.
- The “Add Roles and Features” wizard dialog appears. You can click “Next” until you get to the screen called “Select Server Roles”.
- Click the triangle next to the “Web Server (IIS)” to expand the options.
- Another option called “Web Server” appears under it and you will need to expand this one as well.
- Expand the option “Security” to get the list of options we need to enable.
- Choose “Request Filtering” from the list and tick the checkbox to enable it.
- Click ‘Next’ 2 more times to get to the final screen of the dialog box.
- Click “Install” from the choices at the bottom of the dialog box.
- Click “Close” to finish the installation and close the dialog box.
- Close and then re-open the IIS application to see the Request Filtering option.