a product of
Foundeo Inc.
This report is for a Lucee CFML Server, see also an example Railo report or an example security report for ColdFusion 10 or ColdFusion 11 or ColdFusion 9.0.1 or ColdFusion 2016

Lucee Server Security Report [example.com]

Do you know this much about your ColdFusion server? - Subscribe for $10/month
Lucee Version:
Operating System: UNIX Linux amd64 2.6.32-042stab063.2 i686
Web Server: nginx/1.2.5
Server Local IP:
Probe API Version: 1.6
Java JVM: 1.7.0_24 Oracle Corporation running as root
JEE Server: Apache Tomcat/7.0.22

TLS / SSL Report

Common Name: check www.example.com
Certificate Expiration Date:
check November 7, 2017 (3 months)
Public Key Size:warn 1024 (2048 or greater recommended)
Signature Algorithm: warn sha1WithRSAEncryption (SHA1 signatures are considered weak and may cause warnings or errors in Chrome)
Certificate TrustStore Validation: check Mozilla NSS 04/2015: ok
check Microsoft 04/2015: ok
check Java 6 Update 65: ok
check Apple OS X 10.10.3: ok
Protocol Support: check SSLv2 Disabled
(SSLv2 should be disabled, it has been considered weak for over 10 years and has been disabled in browsers by default since IE7)
warn SSLv3 Enabled
Preferred Cipher Suite: AES128-SHA (128 bit keysize) HTTP 200 OK
(SSLv3 should be disabled, it has been considered weak since October 2014 due to the Poodle Vulnerability. Disabling may cause compatibility issues with IE on Windows XP, and old android clients)
warn TLSv1 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-SHA (256 bit keysize) HTTP 200 OK
(TLSv1 may be enabled for existing implementations, however PCI DSS 3.1 April 2015 ยง 2.2.3 states that: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016 2018 (date changed) . Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place. Effective immediately, new implementations must not use SSL or early TLS. Disabling TLS 1.0 may cause compatibility issues in Internet Explorer, see TLS Browser Support Chart.)
check TLSv1.1 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-SHA (256 bit keysize) HTTP 200 OK
(TLS 1.1 may be considered an early TLS with respect to PCI DSS 3.1 compliance. Talk to your QSA for details.)
check TLSv1.2 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-GCM-SHA384 (256 bit keysize) HTTP 200 OK
(TLS 1.2 should be enabled)
Compression Supported:check No (Compression should be disabled due to CRIME)
Heartbleed: check Not Vulnerable
Logjam: warn 1024 bit DH Group Using a common prime! (a unique 2028 bit DH group is recommended More Info)
Session Renegotiation: check Client Initiated Session Renegotiation Disabled
check Secure Session Renegotiation Supported

We found 18 security issues on your server example.com

SSL Version 2 Enabled
Your Web Server is accepting SSL V2 connections, a weak protocol. For PCI compliance, and strong security you must disable this protocol on your web server.
More Information: http://foundeo.com/products/iis-weak-ssl-ciphers/
Lucee Security Issue 2015-07-03
Lucee fixed an unspecified security issue, characterized as 'very important' in version
More Information: http://lucee.org/blog/lucee-stable-release-security-update-included.html
Robust Exception Information is Enabled
Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure
More Information: http://www.petefreitag.com/item/752.cfm
The JVM is Running under Privileged User Account
The JVM process is running under a system administrative account (eg SYSTEM, Administrator, or root). ColdFusion should be running under an un-privileged user account.
JVM Security Update Available
The JVM that you are running contains security vulnerabilities that could be exploited in server side environments. Java 7 is EOL as of April 2015, upgrade to Java 8 if possible. Java 8 is not supported by CF9 or below.
More Information: http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html#AppendixJAVA
Lucee Administrator is Public
Lucee Administrator should be restricted by IP or blocked with Web Server password protection. Also consider requiring a SSL connection.
More Information: http://www.petefreitag.com/item/715.cfm
Lucee Docs are Public
Your website is serving docs for lucee at /lucee/doc.cfm or /lucee/doc/index.cfm allow only necessary requests under the /lucee/ URI
More Information: http://www.petefreitag.com/item/715.cfm
Lucee Security Issue 2015-08-06
Lucee fixed an XSS issue in version This issue remains unpatched in Railo.
More Information: https://groups.google.com/d/topic/lucee/KYzqrcejCow/discussion
Lucee Security Issue 2015-10-20
Lucee fixed an XSS vulnerability in the default error and debug templates. This issue is fixed in Lucee and
More Information: http://lucee.org/blog/new-lucee-security-patch-available.html
Lucee Invalid Cookie name DOS 2015-05-28
An invalid cookie name can cause a stacktrace and potentially crash Tomcat. Fixed in Lucee and Not fixed in Railo to date.
More Information: https://luceeserver.atlassian.net/browse/LDEV-348
Tomcat 7 Vulnerability
The version of Tomcat 7 you are running contains security vulnerabilities that are fixed in Tomcat Version 7.0.78 or greater.
More Information: https://tomcat.apache.org/security-7.html
Certificate Signature Uses SHA1
Your SSL Certificate is signed using a SHA1 signature, which is considered weak. You may see security errors or warnings in Chrome.
More Information: http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html
SSL Version 3 Enabled
Your Web Server is accepting SSL V3 connections, vulnerabile to the POODLE (CVE-2014-3566) attack. Consider disabling this protocol, which may impact old clients such as IE6 on Windows XP. Disabling SSLv3 may also impact server side HTTPS clients (that consume your web services or APIs), and potentially bots / crawlers. You can use our IIS SSL tool to disable SSLv3 on IIS: https://foundeo.com/products/iis-weak-ssl-ciphers/
More Information: https://poodle.io
Session Cookies are not marked HTTPOnly
Using HTTPOnly cookies prevents the session cookies from being hijacked via a javascript XSS attack on modern browsers.
More Information: http://www.petefreitag.com/item/764.cfm
Lucee Server Context is Public
The URI /lucee-server/ is open to the public and should be blocked.
More Information: http://www.petefreitag.com/item/715.cfm
LogJam: DH Group Uses a common prime.
Your HTTPS server is configured to use a common 1024bit prime. Security researchers estimate that a nation-state could break encryption on servers with a common 1024 bit DH group prime.
More Information: https://weakdh.org/
LogJam: DH Group Smaller than 2048 Supported
Your server supports a DH Group Size smaller than 2048 bits. It is recommended to use a unique 2048-bit Diffie-Hellman group. Note that Java 1.7 and below cannot connect to servers (eg with CFHTTP) using a DH group size larger than 1024.
More Information: https://weakdh.org/
SSL Certificate Public Key Below 2048 Bits
Your SSL certificate public key is below 2048 bits, consider making a new certificate signing request (CSR) and rekey your certificate with 2048 bit key or larger.

Please note, this tool is not able to test for all potential security issues that may exist.

Dig Deeper & Stay Updated with Our Paid Service

When you Signup for our service you can:

Pricing starts at $10/month

Severity Key

Found 3 Critical Issues
These issues pose a significant security risk. It is imperative that they are resolved at once.

Found 10 Important Issues
These issues may have a security risk in certain conditions. It is recommended that you resolve them.

Found 5 Warnings
You should consider fixing these issues, however, they do not pose a large risk.

See a full List of Railo & ColdFusion Security Vulnerabilities detected by this tool.