This report is for a Lucee CFML Server, see also an example Railo report or an example security report for ColdFusion 2021
Want Lucee server security reports?
HackMyCF starts at $10/month
- Automatically scans your server on a daily, weekly, monthly or quarterly basis
- Get Notified when Lucee, Tomcat, Java, CommandBox, etc. need updates
- Daily, Weekly, Monthly or Quarterly email report with info like below about your servers.
Lucee Server Security Report [example.com]
| Lucee Version: | 5.0.1.34 |
| Operating System: | UNIX Linux amd64 2.6.32-042stab063.2 i686 |
| Web Server: | nginx/1.2.5 |
| Server Local IP: | 10.0.0.80 |
| Probe API Version: | 1.9 |
| Java JVM: | 11.0.7 Oracle Corporation running as root |
| JEE Server: | WildFly / Undertow - 1.4.24.Final |
| CommandBox: | 5.1.0 (Runwar Version: 4.3.0) |
TLS / SSL Report
| Common Name: |
 www.example.com
|
| Certificate Expiration Date: |
November 7, 2017 (Expired!)
|
| Public Key Size: |
1024 (2048 or greater recommended) |
| Signature Algorithm: |
sha1WithRSAEncryption (SHA1 signatures are considered weak and may cause warnings or errors in Chrome)
|
| Protocol Support: |
SSLv2 Disabled
(SSLv2 should be disabled, it has been considered weak for over 10 years and has been disabled in browsers by default since IE7) SSLv3 Enabled
Preferred Cipher Suite: AES128-SHA (128 bit keysize) HTTP 200 OK (SSLv3 should be disabled, it has been considered weak since October 2014 due to the Poodle Vulnerability. Disabling may cause compatibility issues with IE on Windows XP, and old android clients) TLSv1 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-SHA (256 bit keysize) HTTP 200 OK (Disabling TLSv1 is Recommended, see TLS Browser Support Chart) TLSv1.1 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-SHA (256 bit keysize) HTTP 200 OK (TLS 1.1 may be considered an early TLS with respect to PCI DSS 3.1 compliance. Talk to your QSA for details.) TLSv1.2 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-GCM-SHA384 (256 bit keysize) HTTP 200 OK (TLS 1.2 should be enabled if TLS 1.3 is not) |
| Compression Supported: | No (Compression should be disabled due to CRIME) |
| Heartbleed: |
Not Vulnerable
|
| Logjam: |
1024 bit DH Group Using a common prime!
(a unique 2028 bit DH group is recommended More Info)
|
| Session Renegotiation: |
Client Initiated Session Renegotiation Disabled Secure Session Renegotiation Supported |
We found 20 security issues on your server example.com
critical
SSL Version 2 Enabled
Your Web Server is accepting SSL V2 connections, a weak protocol. For PCI compliance, and strong security you must disable this protocol on your web server.
More Information: http://foundeo.com/products/iis-weak-ssl-ciphers/
critical
Lucee JSON Vulnerability LDEV-992
A vulnerability in the deserializeJSON and isJSON functions allow for information disclosure. Fixed in Lucee 4.5.3.020+, 4.5.2.013+, 5.0.0.254+, 5.0.1.53+
critical
Robust Exception Information is Enabled
Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure
More Information: http://www.petefreitag.com/item/752.cfm
critical
Lucee Server Vulnerability 2023-01
The version of Lucee you are running is vulnerable to a security issue: CVE-2023-38693. Lucee 5.4 users should update to version 5.4.3.2 or greater, Lucee 5.3 users should update to 5.3.12.1 or greater, Lucee 6 users should update to Lucee 6.0.0.? or greater. For Lucee users running 5.3.7 through 5.3.9 following versions have also been patched: 5.3.9.173+, 5.3.8.237+, 5.3.7.59+
important
The JVM is Running under Privileged User Account
The JVM process is running under a system administrative account (eg SYSTEM, Administrator, or root). ColdFusion should be running under an un-privileged user account.
important
Java 11 Security Update Available
The JVM that you are running contains security vulnerabilities that could be exploited in server side environments. Update to the latest version of Java 11. Note that Oracle Java 11 requires a commercial license. Adobe CF customers can download Oracle Java 11 from the ColdFusion Downloads Page. You can also use OpenJDK, Amazon Corretto, or other non-oracle JVMs for free.
More Information: https://www.petefreitag.com/item/860.cfm
important
Lucee Administrator is Public
Lucee Administrator should be restricted by IP or blocked with Web Server password protection. Also consider requiring a SSL connection.
More Information: http://www.petefreitag.com/item/715.cfm
important
Lucee Docs are Public
Your website is serving docs for lucee at /lucee/doc.cfm or /lucee/doc/index.cfm allow only necessary requests under the /lucee/ URI
More Information: http://www.petefreitag.com/item/715.cfm
important
Lucee Security Issue 2015-10-20
Lucee fixed an XSS vulnerability in the default error and debug templates. This issue is fixed in Lucee 4.5.1.024+ 4.5.2.017+ and 5.0.0.98+
More Information: http://lucee.org/blog/new-lucee-security-patch-available.html
important
Lucee Server Vulnerability 2020-01
The version of Lucee you are running is vulnerable to a security issue. Please update to version 5.3.5.96, 5.3.6.68,
5.3.7.47 or greater. According to LAS 'If your Lucee Admin is already locked down, this is not an issue'.
More Information: https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643
important
CommandBox Vulnerability 2020-01
The version of CommandBox you are running is vulnerable to a security issue. Please update to CommandBox version 5.2.0 or greater.
More Information: https://www.ortussolutions.com/blog/commandbox-520-released
important
CommandBox Vulnerability 2021-01
The version of CommandBox you are running is vulnerable to a security issue. Please update to CommandBox version 5.4.2 or greater.
More Information: https://www.ortussolutions.com/blog/commandbox-542-released
important
Undertow Vulnerability
The version of Undertow you are running contains known security vulnerabilities. Undertow is a JEE Servlet engine most commonly used in CFML with CommandBox. To update Undertow make sure you are running the latest version of CommandBox.
More Information: https://stack.watch/product/redhat/undertow/
important
Certificate Signature Uses SHA1
Your SSL Certificate is signed using a SHA1 signature, which is considered weak. You may see security errors or warnings in Chrome.
important
SSL Version 3 Enabled
Your Web Server is accepting SSL V3 connections, vulnerabile to the POODLE (CVE-2014-3566) attack. Consider disabling this protocol, which may impact old clients such as IE6 on Windows XP. Disabling SSLv3 may also impact server side HTTPS clients (that consume your web services or APIs), and potentially bots / crawlers. You can use our IIS SSL tool to disable SSLv3 on IIS: https://foundeo.com/products/iis-weak-ssl-ciphers/
More Information: https://poodle.io
warning
Session Cookies are not marked HTTPOnly
Using HTTPOnly cookies prevents the session cookies from being hijacked via a javascript XSS attack on modern browsers.
More Information: http://www.petefreitag.com/item/764.cfm
warning
Lucee Server Context is Public
The URI /lucee-server/ is open to the public and should be blocked.
More Information: http://www.petefreitag.com/item/715.cfm
warning
LogJam: DH Group Uses a common prime.
Your HTTPS server is configured to use a common 1024bit prime. Security researchers estimate that a nation-state could break encryption on servers with a common 1024 bit DH group prime.
More Information: https://weakdh.org/
warning
LogJam: DH Group Smaller than 2048 Supported
Your server supports a DH Group Size smaller than 2048 bits. It is recommended to use a unique 2048-bit Diffie-Hellman group. Note that Java 1.7 and below cannot connect to servers (eg with CFHTTP) using a DH group size larger than 1024.
More Information: https://weakdh.org/
warning
SSL Certificate Public Key Below 2048 Bits
Your SSL certificate public key is below 2048 bits, consider making a new certificate signing request (CSR) and rekey your certificate with 2048 bit key or larger.
Please note, this tool is not able to test for all potential security issues that may exist.
Dig Deeper & Stay Updated with Our Paid Service
When you Signup for our service you can:
- Finds more security issues such as JVM vulnerabilities, missing ColdFusion hotfixes, etc (using our probe)
- Receive Automated Daily, Weekly, Monthly, or Quarterly server vulnerability reports
- Keep track of multiple servers at once
- Keep track of which hotfixes were installed and when.
- Get notified when new security hotfixes are released.
- PDF Reports
- Scan as much as you want, and view results instantly.
Pricing starts at $10/month
Severity Key
Critical
Found 4 Critical Issues
These issues pose a significant security risk. It is imperative that they are resolved at once.
Important
Found 11 Important Issues
These issues may have a security risk in certain conditions. It is recommended that you resolve them.
Warning
Found 5 Warnings
You should consider fixing these issues, however, they do not pose a large risk.
See a full List of Lucee & ColdFusion Security Vulnerabilities detected by this tool.