a product of
Foundeo Inc.

ColdFusion 10 Security Report
Example of a Security Report produced by HackMyCF for ColdFusion 10

This report is for a ColdFusion 10 Server, see an example security report for ColdFusion 2016 or ColdFusion 9.0.1 or ColdFusion 11 or ColdFusion 2018 or a Lucee Security Report
Want reports like this for your ColdFusion or Lucee servers? HackMyCF starts at $20/month
  • Automatically scans your server on a daily, weekly, monthly or quarterly basis
  • Get Notified when ColdFusion, Java, CommandBox, etc. need to be updated.
  • Daily, Weekly, Monthly or Quarterly email report with info like below about your servers.

ColdFusion Server Security Report [example.com]

ColdFusion Version: 10,0,8,284032
Operating System: Windows Server 2008 R2 amd64 6.1
Web Server: Microsoft-IIS/7.5
Probe API Version: 1
Java JVM: 1.6.0_37 Sun Microsystems Inc. running as SYSTEM
JEE Server: Apache Tomcat/7.0.23
Hotfix Jars: chf10000008.jar
Cumulative Hotfixes: warning ColdFusion 10 EOL (May 16, 2017) - This version has reached End of Life - core support ended on May 16, 2017, extended support ended on May 16, 2019, security patches are no longer being issued for this version (even if security issues exist)
warning ColdFusion 10.0.23 / Cumulative Security Hotfix (April 25, 2017) NOT Installed
warning ColdFusion 10.0.22 / Cumulative Hotfix (December 20, 2016) NOT Installed
warning ColdFusion 10.0.21 / Cumulative Security Hotfix (August 30, 2016) NOT Installed
warning ColdFusion 10.0.20 / Cumulative Security Hotfix (June 14, 2016) NOT Installed
warning ColdFusion 10.0.19 / Cumulative Security Hotfix (May 10, 2016) NOT Installed
warning ColdFusion 10.0.18 / Cumulative Security Hotfix (November 17, 2015) NOT Installed
warning ColdFusion 10.0.17 / Cumulative Security Hotfix (August 27, 2015) NOT Installed
warning ColdFusion 10.0.16 / Cumulative Security Hotfix (April 14, 2015) NOT Installed
warning ColdFusion 10.0.15 / Cumulative Security Hotfix (December 9, 2014) NOT Installed
warning ColdFusion 10.0.14 / Cumulative Security Hotfix (October 14, 2014) NOT Installed
warning ColdFusion 10.0.13 / Optional Update (January 10, 2014) NOT Installed (this optional update only applies to Mac OSX 10.9)
warning ColdFusion 10.0.12 / Cumulative Security Hotfix (APSB13-27 November 12, 2013) NOT Installed
warning ColdFusion 10.0.11 / Cumulative Security Hotfix (APSB13-19 July 9, 2013) NOT Installed
warning ColdFusion 10.0.10 / Cumulative Security Hotfix (APSB13-13 May 14, 2013) NOT Installed
warning ColdFusion 10.0.9 / Cumulative Security Hotfix (APSB13-10 April 9, 2013) NOT Installed
check ColdFusion 10.0.8 / Cumulative Hotfix (February 27, 2013) Installed
check ColdFusion 10.0.7 / Cumulative Security Hotfix (APSB13-03 January 15, 2013) Installed
check ColdFusion 10.0.6 / Cumulative Security Hotfix (APSB12-26 December 11, 2012) Installed
check ColdFusion 10.0.5 / Cumulative Security Hotfix (APSB12-25 November 19, 2012) Installed
check ColdFusion 10.0.4 / Cumulative Hotfix 4 (November 2, 2012) Installed
check ColdFusion 10.0.3 / Cumulative Hotfix 3 (October 16, 2012) Installed
check ColdFusion 10.0.2 / Cumulative Security Hotfix 2 (APSB12-21 Sept 11, 2012) Installed
check ColdFusion 10.0.1 / Cumulative Hotfix 1 (Aug 31, 2012) Installed

Please note, Cumulative Hotfixes typically include all the prior hotfixes as well. So if you are on update 1, you can install update 3, and update 2 will also be installed. There are sometimes exceptions, or additional steps that you need to take. Please read the linked KB article for each hotfix you will be installing.
Mandatory Updates: check ColdFusion 10 Mandatory Update Installed

The ColdFusion 10 mandatory update, is not categorized as a security hotfix by Adobe, however because it updates the code signing certificate used by the ColdFusion hotfix installer it may have security implications if the old certificate was compromised. More Info

Is Latest? Name File Date
warning Newer Connector Available Tomcat IIS Connector
isapi_redirect.dll 2012-11-08

To Update Your Connector: Make sure you have applied all hotfixes first, then run wsconfig. If you are on Windows you need to right click on wsconfig.exe and select: Run As Administrator. For CF2016 and up you can Upgrade the connector in wsconfig, for CF10 and CF11 you will need to Remove and then Add the connector(s) again. Note, connector updates may not be required for security but generally increase server stability.

TLS / SSL Report

Common Name: check www.example.com
Certificate Expiration Date:
warn August 13, 2024 (30 days)
Public Key Size: check 2048 (2048 or greater recommended)
Signature Algorithm: check sha256WithRSAEncryption
Contains Anchor Certificate: check No
Valid Chain Order: check Yes
Protocol Support: check SSLv2 Disabled
(SSLv2 should be disabled, it has been considered weak for over 10 years and has been disabled in browsers by default since IE7)
warn SSLv3 Enabled
Preferred Cipher Suite: AES128-SHA (128 bit keysize) HTTP 200 OK
(SSLv3 should be disabled, it has been considered weak since October 2014 due to the Poodle Vulnerability. Disabling may cause compatibility issues with IE on Windows XP, and old android clients)
warn TLSv1 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-SHA (256 bit keysize) HTTP 200 OK
(Disabling TLSv1 is Recommended, see TLS Browser Support Chart)
warn TLSv1.1 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-SHA (256 bit keysize) HTTP 200 OK
(TLS 1.1 may be considered an early TLS with respect to PCI DSS 3.1 compliance. Talk to your QSA for details.)
Using IIS?

On Windows Server 2019+ There is a checkbox in the SSL / TLS bindings of IIS called Disable Legacy TLS which can be used to require TLS 1.2+: Microsoft Docs

check TLSv1.2 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-GCM-SHA384 (256 bit keysize) HTTP 200 OK
(TLS 1.2 should be enabled if TLS 1.3 is not)
Compression Supported:check No (Compression should be disabled due to CRIME)
Heartbleed: check Not Vulnerable
Logjam: warn 1024 bit DH Group Using a common prime! (a unique 2028 bit DH group is recommended More Info)
Session Renegotiation: check Client Initiated Session Renegotiation Disabled
check Secure Session Renegotiation Supported
OpenSSL CCS Injection check Not Vulnerable
Strict Transport Security warn Not Enabled More Info

We found 23 security issues on your server example.com

SSL Version 2 Enabled
Your Web Server is accepting SSL V2 connections, a weak protocol. For PCI compliance, and strong security you must disable this protocol on your web server.
More Information: http://foundeo.com/products/iis-weak-ssl-ciphers/
Robust Exception Information is Enabled
Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure. This can also be triggered if you have a custom error handler that is disclosing too much information (such as a stack trace).
Backdoor Discovered
Found /CFIDE/h.cfm that matched the signature of a backdoor script capable of manipulating the file system, running executables and running database queries remotely. Your server appears to have been compromised by an attacker.
Security Hotfix APSB13-13 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB13-13 was not found on your server. This hotfix addresses a vulnerability (CVE-2013-1389) that could allow remote arbitrary code execution on a system running ColdFusion, and a vulnerability (CVE-2013-3336) that could permit an unauthorized user to remotely retrieve files stored on the server.
More Information: http://www.adobe.com/support/security/bulletins/apsb13-13.html
Security Hotfix APSB13-19 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB13-19 was not found on your server. This hotfix resolves a remote code execution issue over WebSockets.
More Information: http://www.adobe.com/support/security/bulletins/apsb13-19.html
EOL ColdFusion Version
The version of ColdFusion that you are running has reached End of Life, and is no longer supported by Adobe. Security patches are no longer issued for this version. CF8 EOL 2012, CF9 EOL 2014, CF10 EOL 2017, CF11 EOL 2019, CF2016 EOL 2021, CF2018 Ends Core Support 7/13/2023, Extended Support 7/13/2024. ColdFusion 2021 has core support until 2025. ColdFusion 2023 has core support until 2028
More Information: https://helpx.adobe.com/support/programs/eol-matrix.html
AdminAPI Exposed to the Public
The /CFIDE/adminapi/ directory is open to the public it should be locked down to prevent exploit.
Security Hotfix APSB17-14 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB17-14 was not found to be installed on your server. This hotfix resolves two important vulnerabilities CVE-2017-3008 and CVE-2017-3066. The issues are resolved in ColdFusion 10 Update 23+ ColdFusion 11 Update 12+ and ColdFusion 2016 Update 4.
More Information: https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html
ColdFusion Administrator is Public
ColdFusion Administrator should be restricted by IP or blocked with Web Server password protection. Also consider requiring a SSL connection.
More Information: http://www.petefreitag.com/item/750.cfm
CFTOKEN should be set to use a UUID in the ColdFusion Administrator. Session ids may be very easy to guess if UUID's are not used.
RDS may be Enabled
RDS may be enabled on your server (due to a change in recent CF versions we can no longer detect if it is on or off, however we have detected that the RDSServlet URI is responding to requests). We recommened that you block the URI /CFIDE/main/ide.cfm and/or remove the Servlet Mapping in web.xml to prevent unnecessary access to the RDSServlet.
Certificate Signature Uses SHA1
Your SSL Certificate is signed using a SHA1 signature, which is considered weak. You may see security errors or warnings in Chrome.
More Information: http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html
SSL Version 3 Enabled
Your Web Server is accepting SSL V3 connections, vulnerabile to the POODLE (CVE-2014-3566) attack. Consider disabling this protocol, which may impact old clients such as IE6 on Windows XP. Disabling SSLv3 may also impact server side HTTPS clients (that consume your web services or APIs), and potentially bots / crawlers. You can use our IIS SSL tool to disable SSLv3 on IIS: https://foundeo.com/products/iis-weak-ssl-ciphers/
More Information: https://poodle.io
Security Hotfix APSB13-10 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB13-10 was not found on your server. This hotfix resolves authentication issues that could allow an attacker impersonate a user in your application, or a ColdFusion Administrator.
More Information: http://www.adobe.com/support/security/bulletins/apsb13-10.html
The JVM is Running under Privileged User Account
The JVM process is running under a system administrative account (eg SYSTEM, Administrator, or root). ColdFusion should be running under an un-privileged user account.
JVM Security Update Available
The JVM version you are running does not contain the latest security patches. Adobe and Oracle recommend that you run the latest patched version of Java 1.8 on CF11+. Java 1.6 has reached end of life and Oracle may not be providing fixes for future issues. If you are running CF8 or below you only Java 6 was supported. You may be able to get Java 1.8 working on older versions of ColdFusion but it may cause certain features not to work (typically SOAP web services).
More Information: https://www.petefreitag.com/item/860.cfm
Tomcat 7 Vulnerability
Tomcat 7 has reached end of life and may contain security vulnerabilities.
More Information: https://tomcat.apache.org/security-7.html
Security Hotfix APSB16-22 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB16-22 was not found to be installed on your server. This hotfix addresses an input validation issue that could result in reflected XSS. The issue is resolved in ColdFusion 10 Update 20+, ColdFusion 11 Update 9+, and ColdFusion 2016 Update 2+
More Information: https://helpx.adobe.com/security/products/coldfusion/apsb16-22.html
Session Cookies are not marked HTTPOnly
Using HTTPOnly cookies prevents the session cookies from being hijacked via a javascript XSS attack on modern browsers.
More Information: http://www.petefreitag.com/item/764.cfm
LogJam: DH Group Uses a common prime.
Your HTTPS server is configured to use a common 1024bit prime. Security researchers estimate that a nation-state could break encryption on servers with a common 1024 bit DH group prime.
More Information: https://weakdh.org/
LogJam: DH Group Smaller than 2048 Supported
Your server supports a DH Group Size smaller than 2048 bits. It is recommended to use a unique 2048-bit Diffie-Hellman group. Note that Java 1.7 and below cannot connect to servers (eg with CFHTTP) using a DH group size larger than 1024.
More Information: https://weakdh.org/
SSL Certificate Public Key Below 2048 Bits
Your SSL certificate public key is below 2048 bits, consider making a new certificate signing request (CSR) and rekey your certificate with 2048 bit key or larger.
SSL Certificate Expires Soon
Your SSL certificate will expire soon, please make sure you renew it.

Please note, this tool is not able to test for all potential security issues that may exist.

Dig Deeper & Stay Updated with Our Paid Service

When you Signup for our service you can:

Pricing starts at $10/month

Severity Key

Found 8 Critical Issues
These issues pose a significant security risk. It is imperative that they are resolved at once.

Found 10 Important Issues
These issues may have a security risk in certain conditions. It is recommended that you resolve them.

Found 5 Warnings
You should consider fixing these issues, however, they do not pose a large risk.

Scan ID:

See a List of ColdFusion Security Vulnerabilities detected by this tool.