While I mainly use Adobe ColdFusion, I do maintain several Lucee installs - most of which are running on auto-pilot and/or hosted/configured/maintained by the host. However, when I first heard of the Lucee vulnerability on the Modernize or Die podcast, I decided to take an inventory of where I was using Lucee to see what needed upgrades and patches. Lucee patches for this vulnerability are 5.3.5.96, 5.3.6.68, and 5.3.7.47. I was running 4.5.1.024. This Lucee install was woefully out of date, so much so that an update for 4 was not listed. Indeed, a comment from Zac Spitzer indicated that 4.5 was probably not affected.

Nevertheless, clicking on the Lucee icon in the administrator revealed that a patch was available. So I was faced with a choice: Do nothing (allow upgrade paralysis to continue its reign), upgrade 4.5 to address the listed fixes, or update to 5.3 since 4.5 is end of life. In my defense, it seems like every install I have ever done has gone haywire; I'm not sure what is the opposite of the Midas Touch but I'm sure I have it when it comes to upgrades, and so I was upgrade gun-shy. But I knew better, and so I leaned toward upgrading from 4.5 to 5.3.

But before firing up CommandBox for the install or exploring other installation options, I scanned the docs to look into running multiple versions of Lucee. I had just configured a dev server to run multiple versions of Adobe ColdFusion and was itching to compare the two processes. However, while I quickly found the docs on how to upgrade to 5.3, I didn't find much on running both versions together, and so I will put that in my back pocket for now, and focus on upgrading from 4.5 to 5.3.  

Swap the .jar file

The docs show how simple it is to set this up but Murphy's Law dictates I contact the great folks at Viviotech to verify all backups are up to date. Of course, they are. I'm now ready to begin the step by step procedures. From the docs:  

  1. Download the lucee-5.x.x.xxx.jar from https://lucee.org/downloads.html. I downloaded Lucee 5.3.7.47.jar
  2. Stop the servlet engine on your server. (Windows: net stop Lucee or go to Services and stop it there). No problemo
  3. Add the lucee-5.x.x.xxx.jar you downloaded to the "lib" directory in your existing Lucee install. Copy/Paste... Done.
  4. Remove all other JARs in the same directory, however do not remove the directory "lucee-server" (or "railo-server") if that directory is present, this is the case with default installations. Please note you must remove the JARs, DO NOT simply rename them. That's not complicated.
  5. Start the servlet engine. (Windows: net start Lucee or go to Services and start it there.). Spinning, spinning...

Once done, it was time for the moment of truth. Starting the servlet engine seemed to take forever as I wondered if there was more to do. I mean, I had like 114 jar files in the original /lib install, and now I have just one? Isn't there a wizard or some other notification that the upgrade was successful? I'm used to more hand-holding! I hit the admin page, and waited for what seemed like an eternity. (OK, that was hyperbole, but it did seem like a long time.)

It turns out no hand holding was needed. Just like that, the new Lucee admin appeared, with all the settings intact. All websites - either Mura CMS sites or ContentBox, came back online without a hitch. The actual process of upgrading using the five steps above was a whopping five minutes. Amazingly painless! What was I worried about? :-)

So I do have some questions about the nuts and bolts of Lucee that are outside the scope of this article, but suffice it to say that the upgrade experience was just great, and even though I didn't upgrade from a vulnerable version, I did upgrade, and that was something that upgrade paralysis keeping me from doing, all for no reason as it turns out. 

I hope your upgrade process is as seamless. From my experience, I would say it's a safe bet!