a product of
Foundeo Inc.

ColdFusion 2018 Security Report
Example of a Security Report produced by HackMyCF for ColdFusion 2018


This report is for a ColdFusion 2018 Server, see an example security report for ColdFusion 2023 or ColdFusion 2016 or a Lucee Security Report
Want reports like this for your ColdFusion or Lucee servers? HackMyCF starts at $20/month
  • Automatically scans your server on a daily, weekly, monthly or quarterly basis
  • Get Notified when ColdFusion, Java, CommandBox, etc. need to be updated.
  • Daily, Weekly, Monthly or Quarterly email report with info like below about your servers.

ColdFusion Server Security Report [example.com]

ColdFusion Version: 2018,0,1,310739
Operating System: Linux x86_64
Web Server: Apache
Server Local IP: 10.11.12.13
Probe API Version: 1.8
Java JVM: 10.0.1 Oracle Corporation running as root
JEE Server: Apache Tomcat/9.0.5
Hotfix Jars: chf20180001.jar
Cumulative Hotfixes: warning ColdFusion 2018 has reached End of Core Support on July 13, 2023. There may not be any further security updates for this version, please upgrade to CF2021 or CF2023. Extended support for ColdFusion 2018 ends on July 13, 2024.

warning ColdFusion 2018 Update 19 / Security Hotfix (Jul 19, 2023) Not Installed
warning ColdFusion 2018 Update 18 / Security Hotfix (Jul 14, 2023) Not Installed
warning ColdFusion 2018 Update 17 / Security Hotfix (Jul 11, 2023) Not Installed
warning ColdFusion 2018 Update 16 / Security Hotfix (Mar 14, 2023) Not Installed
warning ColdFusion 2018 Update 15 / Security Hotfix (Oct 11, 2022) Not Installed
warning ColdFusion 2018 Update 14 / Security Hotfix (May 10, 2022) Not Installed
warning ColdFusion 2018 Update 13 / Security Hotfix (Dec 17, 2021) Not Installed
warning ColdFusion 2018 Update 12 / Security Hotfix (Sep 14, 2021) Not Installed
warning ColdFusion 2018 Update 11 / Security Hotfix (Mar 22, 2021) Not Installed
warning ColdFusion 2018 Update 10 / Security Hotfix (Jul 14, 2020) Not Installed
warning ColdFusion 2018 Update 9 / Security Hotfix (Apr 14, 2020) Not Installed
warning ColdFusion 2018 Update 8 / Security Hotfix (Mar 17, 2020) Not Installed
warning ColdFusion 2018 Update 7 / Security Hotfix (Dec 10, 2019) Not Installed
warning ColdFusion 2018 Update 6 / Hotfix (Nov 20, 2019) Not Installed
warning ColdFusion 2018 Update 5 / Security Hotfix (Sep 24, 2019) Not Installed
warning ColdFusion 2018 Update 4 / Security Hotfix (Jun 11, 2019) Not Installed
warning ColdFusion 2018 Update 3 / Security Hotfix (Mar 01, 2019) Not Installed
warning ColdFusion 2018 Update 2 / Security Hotfix (Feb 12, 2019) Not Installed
check ColdFusion 2018 Update 1 / Security Hotfix (Sep 11, 2018) Installed

Please note, Cumulative Hotfixes typically include all the prior hotfixes as well. So if you are on update 1, you can install update 3, and update 2 will also be installed. There are sometimes exceptions, or additional steps that you need to take. Please read the linked KB article for each hotfix you will be installing.

TLS / SSL Report

Common Name: check www.example.com
Certificate Expiration Date:
warn November 6, 2024 (30 days)
Public Key Size: check 2048 (2048 or greater recommended)
Signature Algorithm: check sha256WithRSAEncryption
Contains Anchor Certificate: check No
Valid Chain Order: check Yes
Protocol Support: check SSLv2 Disabled
(SSLv2 should be disabled, it has been considered weak for over 10 years and has been disabled in browsers by default since IE7)
warn SSLv3 Enabled
Preferred Cipher Suite: AES128-SHA (128 bit keysize) HTTP 200 OK
(SSLv3 should be disabled, it has been considered weak since October 2014 due to the Poodle Vulnerability. Disabling may cause compatibility issues with IE on Windows XP, and old android clients)
warn TLSv1 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-SHA (256 bit keysize) HTTP 200 OK
(Disabling TLSv1 is Recommended, see TLS Browser Support Chart)
warn TLSv1.1 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-SHA (256 bit keysize) HTTP 200 OK
(TLS 1.1 may be considered an early TLS with respect to PCI DSS 3.1 compliance. Talk to your QSA for details.)
check TLSv1.2 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-GCM-SHA384 (256 bit keysize) HTTP 200 OK
(TLS 1.2 should be enabled if TLS 1.3 is not)
Compression Supported:check No (Compression should be disabled due to CRIME)
Heartbleed: check Not Vulnerable
Logjam: warn 1024 bit DH Group Using a common prime! (a unique 2028 bit DH group is recommended More Info)
Session Renegotiation: check Client Initiated Session Renegotiation Disabled
check Secure Session Renegotiation Supported
OpenSSL CCS Injection check Not Vulnerable
Strict Transport Security warn Not Enabled More Info

We found 31 security issues on your server example.com

critical
SSL Version 2 Enabled
Your Web Server is accepting SSL V2 connections, a weak protocol. For PCI compliance, and strong security you must disable this protocol on your web server.
More Information: https://foundeo.com/products/iis-weak-ssl-ciphers/
critical
Robust Exception Information is Enabled
Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure. This can also be triggered if you have a custom error handler that is disclosing too much information (such as a stack trace).
critical
Security Hotfix APSB18-33 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB18-33 was not found to be installed on your server. This hotfix resolves 6 critical issues, one moderate and two important vulnerabilities . The issues are resolved in ColdFusion 11 Update 15+ ColdFusion 2016 Update 7+ and ColdFusion 2018 Update 1. For all security fixes to be effective you should also have Java 8 update 121 or greater installed.
critical
Log4Shell Security Hotfix CF2021u3 / CF2018u13
The ColdFusion Log4Shell / log4j Security Hotfix was not found to be installed on your server. This hotfix resolves a critical remote code execution vulnerability (CVE-2021-44228) and another important issue CVE-2021-45046. These issues are resolved by installing ColdFusion 2021 Update 3 or later or ColdFusion 2018 Update 13 or later. For CF2018 make sure you have applied the post installation AJP connector configuration step mentioned in CF2018 Update 8.
More Information: https://www.petefreitag.com/blog/log4shell-coldfusion/
critical
Security Hotfix APSB20-18 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB20-18 was not found to be installed on your server. This hotfix resolves three important (CVE-2020-3767, CVE-2020-3768, CVE-2020-3796) issues. Insufficient input validation causing an Application-level denial-of-service (DoS), DLL search-order hijacking causing Privilege escalation, and Improper access control allowing System file structure disclosure. These issues are resolved in ColdFusion 2018 Update 9+ and ColdFusion 2016 Update 15+
critical
Security Hotfix APSB20-16 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB20-16 was not found to be installed on your server. This hotfix resolves two critical (CVE-2020-3761, CVE-2020-3794) issues. Arbitrary file read from the Coldfusion install directory, and Arbitrary code execution of files located in the webroot or its subdirectory. These vulnerabilities appear to be related to the Tomcat Ghostcat vulnerability. These issues are resolved in ColdFusion 2018 Update 8+ and ColdFusion 2016 Update 14+
critical
Security Hotfix APSB19-47 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB19-47 was not found to be installed on your server. This hotfix resolves two critical (CVE-2019-8073, CVE-2019-8074) issues, and one important issue (CVE-2019-8072). These issues are resolved in ColdFusion 2016 Update 12+ and ColdFusion 2018 Update 5+.
critical
Security Hotfix APSB19-27 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB19-27 was not found to be installed on your server. This hotfix resolves three critical (CVE-2019-7838, CVE-2019-7839, CVE-2019-7840 ) issues. The issues are resolved in ColdFusion 11 Update 19+ ColdFusion 2016 Update 11+ and ColdFusion 2018 Update 4+.
critical
Security Hotfix APSB19-14 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB19-14 was not found to be installed on your server. This hotfix resolves one critical (CVE-2019-7816) issue. The issues are resolved in ColdFusion 11 Update 18+ ColdFusion 2016 Update 10+ and ColdFusion 2018 Update 3+. For all security fixes to be effective you should also have Java 8 update 121 or greater installed.
critical
Security Hotfix APSB19-10 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB19-10 was not found to be installed on your server. This hotfix resolves 2 issues, one important (CVE-2019-7092) and one critical (CVE-2019-7091). The issues are resolved in ColdFusion 11 Update 16+ ColdFusion 2016 Update 8+ and ColdFusion 2018 Update 2+. For all security fixes to be effective you should also have Java 8 update 121 or greater installed.
critical
Security Hotfix APSB20-43 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB20-43 was not found to be installed on your server. This hotfix resolves two important (CVE-2020-9672, CVE-2020-9673) issues. This hotfix resolves multiple DLL search-order hijacking vulnerabilities that could lead to privilege escalation. These issues are resolved in ColdFusion 2018 Update 10 or later and ColdFusion 2016 Update 16 or later.
critical
Security Hotfix APSB22-44 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB22-44 was not found to be installed on your server. This hotfix addresses 6 critical, 6 important, and one Moderate severity level issues. These issues are resolved in ColdFusion 2021 Update 5 or later, ColdFusion 2018 Update 15 or later. For CF2018 make sure you have applied the post installation AJP connector configuration step mentioned in CF2018 Update 8.
critical
Security Hotfix APSB23-25 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB23-25 was not found to be installed on your server. This hotfix addresses 2 critical, and 1 important severity level issues. These issues are resolved in ColdFusion 2021 Update 6 or later, ColdFusion 2018 Update 16 or later. For CF2018 make sure you have applied the post installation AJP connector configuration step mentioned in CF2018 Update 8.
critical
Security Hotfix APSB23-40 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB23-40 was not found to be installed on your server. This hotfix addresses 2 critical, and 1 important severity level issues. These issues are resolved in ColdFusion 2023 Update 1 or later, ColdFusion 2021 Update 7 or later, ColdFusion 2018 Update 17 or later. For CF2018 make sure you have applied the post installation AJP connector configuration step mentioned in CF2018 Update 8.
critical
Security Hotfix APSB23-41 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB23-41 was not found to be installed on your server. These issues are resolved in ColdFusion 2023 Update 2 or later, ColdFusion 2021 Update 8 or later, ColdFusion 2018 Update 18 or later. For CF2018 make sure you have applied the post installation AJP connector configuration step mentioned in CF2018 Update 8.
critical
Security Hotfix APSB23-47 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB23-47 was not found to be installed on your server. These issues are resolved in ColdFusion 2023 Update 2 or later, ColdFusion 2021 Update 8 or later, ColdFusion 2018 Update 18 or later. For CF2018 make sure you have applied the post installation AJP connector configuration step mentioned in CF2018 Update 8.
important
ColdFusion Administrator is Public
ColdFusion Administrator should be restricted by IP or blocked with Web Server password protection. Also consider requiring a SSL connection.
More Information: https://www.petefreitag.com/blog/coldfusion-admin-public/
important
CFTOKEN is not a UUID
CFTOKEN should be set to use a UUID in the ColdFusion Administrator. Session ids may be very easy to guess if UUID's are not used.
important
RDS may be Enabled
RDS may be enabled on your server (due to a change in recent CF versions we can no longer detect if it is on or off, however we have detected that the RDSServlet URI is responding to requests). We recommened that you block the URI /CFIDE/main/ide.cfm and/or remove the Servlet Mapping in web.xml to prevent unnecessary access to the RDSServlet.
important
Certificate Signature Uses SHA1
Your SSL Certificate is signed using a SHA1 signature, which is considered weak. You may see security errors or warnings in Chrome.
important
SSL Version 3 Enabled
Your Web Server is accepting SSL V3 connections, vulnerabile to the POODLE (CVE-2014-3566) attack. Consider disabling this protocol, which may impact old clients such as IE6 on Windows XP. Disabling SSLv3 may also impact server side HTTPS clients (that consume your web services or APIs), and potentially bots / crawlers. You can use our IIS SSL tool to disable SSLv3 on IIS: https://foundeo.com/products/iis-weak-ssl-ciphers/
important
The JVM is Running under Privileged User Account
The JVM process is running under a system administrative account (eg SYSTEM, Administrator, or root). ColdFusion should be running under an un-privileged user account.
important
Tomcat 9 Vulnerability
The version of Tomcat 9 you are running contains security vulnerabilities that are fixed in Tomcat Version 9.0.90 or greater. Adobe ColdFusion 2021/2023 users: Update 2021.0.15/2023.0.9 or greater will update Tomcat to version 9.0.93. Lucee users should update Tomcat manually. CF2018 Users should upgrade to a supported version of ColdFusion.
important
The /cf_scripts/scripts directory is in default location.
Consider changing the default location of /cf_scripts/scripts/ or /cfscripts_2018/ by changing the value of the Default Script Src setting in the ColdFusion Administrator.
More Information: https://www.petefreitag.com/blog/coldfusion-cfide-cfscripts/
important
JVM Security Update Available
The JVM that you are running is EOL and may contain security vulnerabilities that could be exploited in server side environments. Update to the latest supported version of Java. Support for Java 11 on CF2018 arrived in ColdFusion 2018 Update 2.
More Information: https://www.petefreitag.com/blog/updating-java-coldfusion-lucee/
important
Security Hotfix APSB22-22 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB22-22 was not found to be installed on your server. This hotfix resolves an important issue: CVE-2022-28818. This issue is resolved in ColdFusion 2021 Update 4 or later, ColdFusion 2018 Update 14 or later. For CF2018 make sure you have applied the post installation AJP connector configuration step mentioned in CF2018 Update 8.
warning
Session Cookies are not marked HTTPOnly
Using HTTPOnly cookies prevents the session cookies from being hijacked via a javascript XSS attack on modern browsers.
More Information: https://www.petefreitag.com/blog/httponly-session-coldfusion/
warning
LogJam: DH Group Uses a common prime.
Your HTTPS server is configured to use a common 1024bit prime. Security researchers estimate that a nation-state could break encryption on servers with a common 1024 bit DH group prime.
warning
LogJam: DH Group Smaller than 2048 Supported
Your server supports a DH Group Size smaller than 2048 bits. It is recommended to use a unique 2048-bit Diffie-Hellman group. Note that Java 1.7 and below cannot connect to servers (eg with CFHTTP) using a DH group size larger than 1024.
warning
SSL Certificate Public Key Below 2048 Bits
Your SSL certificate public key is below 2048 bits, consider making a new certificate signing request (CSR) and rekey your certificate with 2048 bit key or larger.
warning
SSL Certificate Expires Soon
Your SSL certificate will expire soon, please make sure you renew it.

Please note, this tool is not able to test for all potential security issues that may exist.

Dig Deeper & Stay Updated with Our Paid Service

When you Signup for our service you can:

Pricing starts at $10/month

Severity Key

Critical
Found 16 Critical Issues
These issues pose a significant security risk. It is imperative that they are resolved at once.

Important
Found 10 Important Issues
These issues may have a security risk in certain conditions. It is recommended that you resolve them.

Warning
Found 5 Warnings
You should consider fixing these issues, however, they do not pose a large risk.

Scan ID:

See a List of ColdFusion Security Vulnerabilities detected by this tool.