Lucee Server Arbitrary File Creation
Description
Lucee Server is a dynamic, Java-based (JSR-223) scripting language platform used for rapid web application development. Versions prior to 5.3.8.89 contain an authentication bypass vulnerability that allows unauthenticated attackers to directly access protected ColdFusion Markup (CFM) files. Specifically, the imgProcess.cfm file is vulnerable to path traversal attacks, enabling attackers to write arbitrary files to any location on the server with attacker-controlled content. This vulnerability can be exploited to achieve remote code execution by creating malicious .cfm files in accessible directories.
Remediation
Immediately upgrade Lucee Server to version 5.3.8.89 or later, which addresses this vulnerability through commit 6208ab7c44c61d26c79e0b0af10382899f57e1ca (LDEV-3119). Follow these steps:
1. Backup your current installation and configuration files before upgrading
2. Download the latest stable version of Lucee Server from the official website
3. Review the release notes for any breaking changes or migration requirements
4. Perform the upgrade following the official upgrade documentation
5. Verify the upgrade by checking the version number in the Lucee administrator panel
6. Audit your server for any unauthorized .cfm files or suspicious file modifications that may have occurred before patching
If immediate upgrading is not possible, implement temporary mitigations by restricting network access to the Lucee administrator interface and monitoring file system activity for unauthorized file creation, though upgrading remains the only complete solution.