ColdFusion Server Security Report [example.com]
|Server Local IP:
|Probe API Version:
||1.8.0_72 Oracle Corporation running as root
ColdFusion 2016 Update 8 / Security Hotfix (Feb 12, 2019) Not Installed
ColdFusion 2016 Update 7 / Security Hotfix (Sep 11, 2018) Not Installed
ColdFusion 2016 Update 6 / Security Hotfix (Apr 10, 2018) Not Installed
ColdFusion 2016 Update 5 / Security Hotfix (Sep 12, 2017) Not Installed
ColdFusion 2016 Update 4 / Security Hotfix (Apr 25, 2017) Not Installed
ColdFusion 2016 Update 3 / Cumulative Hotfix (Oct 3, 2016) Not Installed
ColdFusion 2016 Update 2 / Security Hotfix (June 14, 2016) Not Installed
ColdFusion 2016 Update 1 / Security Hotfix (May 10, 2016) Installed
Please note, Cumulative Hotfixes focus on bug fixes and may or may not include security hotfixes, they are not required and Adobe may only recommend installing them if you are experiencing one of the issues resolved (please read the linked KB article).
TLS / SSL Report
We found 21 security issues on your server example.com
SSL Version 2 Enabled
Your Web Server is accepting SSL V2 connections, a weak protocol. For PCI compliance, and strong security you must disable this protocol on your web server.
Robust Exception Information is Enabled
Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure
AdminAPI Exposed to the Public
The /CFIDE/adminapi/ directory is open to the public it should be locked down to prevent exploit.
Security Hotfix APSB18-33 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB18-33 was not found to be installed on your server. This hotfix resolves 6 critical issues, one moderate and two important vulnerabilities . The issues are resolved in ColdFusion 11 Update 15+ ColdFusion 2016 Update 7+ and ColdFusion 2018 Update 1. For all security fixes to be effective you should also have Java 8 update 121 or greater installed.
Security Hotfix APSB18-14 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB18-14 was not found to be installed on your server. This hotfix resolves two critical (CVE-2018-4939, CVE-2018-4942), and three important (CVE-2018-4938, CVE-2018-4940, CVE-2018-4941) vulnerabilities . The issues are resolved in ColdFusion 11 Update 14+ and ColdFusion 2016 Update 6+. For the security fix to be effective you should also have Java 8 update 121 or greater installed.
Security Hotfix APSB17-30 Not Installed Or Partailly Installed
The security hotfix referenced in Adobe Security Bulletin APSB17-30 was not found to be fully installed on your server. For the hotfix to be effective you must have Java 8 update 121 or greater installed. This hotfix resolves two critical vulnerabilities CVE-2017-11286 and CVE-2017-11283 / CVE-2017-11284 and one important vulnerability CVE-2017-11285. The issues are resolved in ColdFusion 11 Update 13+ and ColdFusion 2016 Update 5+ with Java 8 update 121 or greater.
Security Hotfix APSB17-14 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB17-14 was not found to be installed on your server. This hotfix resolves two important vulnerabilities CVE-2017-3008 and CVE-2017-3066. The issues are resolved in ColdFusion 10 Update 23+ ColdFusion 11 Update 12+ and ColdFusion 2016 Update 4.
ColdFusion Administrator is Public
ColdFusion Administrator should be restricted by IP or blocked with Web Server password protection. Also consider requiring a SSL connection.
CFTOKEN is not a UUID
CFTOKEN should be set to use a UUID in the ColdFusion Administrator. Session ids may be very easy to guess if UUID's are not used.
RDS may be Enabled
RDS may be enabled on your server (due to a change in recent CF versions we can no longer detect if it is on or off, however we have detected that the RDSServlet URI is responding to requests). We recommened that you block the URI /CFIDE/main/ide.cfm and/or remove the Servlet Mapping in web.xml to prevent unnecessary access to the RDSServlet.
Certificate Signature Uses SHA1
Your SSL Certificate is signed using a SHA1 signature, which is considered weak. You may see security errors or warnings in Chrome.
SSL Version 3 Enabled
Your Web Server is accepting SSL V3 connections, vulnerabile to the POODLE (CVE-2014-3566) attack. Consider disabling this protocol, which may impact old clients such as IE6 on Windows XP. Disabling SSLv3 may also impact server side HTTPS clients (that consume your web services or APIs), and potentially bots / crawlers. You can use our IIS SSL tool to disable SSLv3 on IIS: https://foundeo.com/products/iis-weak-ssl-ciphers/
The JVM is Running under Privileged User Account
The JVM process is running under a system administrative account (eg SYSTEM, Administrator, or root). ColdFusion should be running under an un-privileged user account.
Tomcat 8 Vulnerability
The version of Tomcat 8 you are running contains security vulnerabilities, upgrade to Tomcat Version 8.0.53/8.5.34 or greater. Adobe ColdFusion 2016 users should install update 7 to get Tomcat 8.5.32. Expect a future ColdFusion patch to update Tomcat to version 8.5.34 or greater.
The /cf_scripts/scripts directory is in default location.
Consider changing the default location of /cf_scripts/scripts/ by changing the value of the Default Script Src setting in the ColdFusion Administrator.
Security Hotfix APSB16-22 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB16-22 was not found to be installed on your server. This hotfix addresses an input validation issue that could result in reflected XSS. The issue is resolved in ColdFusion 10 Update 20+, ColdFusion 11 Update 9+, and ColdFusion 2016 Update 2+
Session Cookies are not marked HTTPOnly
LogJam: DH Group Uses a common prime.
Your HTTPS server is configured to use a common 1024bit prime. Security researchers estimate that a nation-state could break encryption on servers with a common 1024 bit DH group prime.
LogJam: DH Group Smaller than 2048 Supported
Your server supports a DH Group Size smaller than 2048 bits. It is recommended to use a unique 2048-bit Diffie-Hellman group. Note that Java 1.7 and below cannot connect to servers (eg with CFHTTP) using a DH group size larger than 1024.
SSL Certificate Public Key Below 2048 Bits
Your SSL certificate public key is below 2048 bits, consider making a new certificate signing request (CSR) and rekey your certificate with 2048 bit key or larger.
SSL Certificate Expires Soon
Your SSL certificate will expire soon, please make sure you renew it.
Please note, this tool is not able to test for all potential security issues that may exist.
Dig Deeper & Stay Updated with Our Paid Service
When you Signup for our service you can:
- Finds more security issues such as JVM vulnerabilities, missing ColdFusion hotfixes, etc (using our probe)
- Receive Automated Daily, Weekly, Monthly, or Quarterly server vulnerability reports
- Keep track of multiple servers at once
- Keep track of which hotfixes were installed and when.
- Get notified when new security hotfixes are released.
- PDF Reports
- Scan as much as you want, and view results instantly.
Pricing starts at $10/month
Found 7 Critical Issues
These issues pose a significant security risk. It is imperative that they are resolved at once.
Found 9 Important Issues
These issues may have a security risk in certain conditions. It is recommended that you resolve them.
Found 5 Warnings
You should consider fixing these issues, however, they do not pose a large risk.