ColdFusion Markup Language, more commonly known as CFML, is a scripting language for web development that runs on JVM, .Net framework, and Google App engine.
Multiple commercial and open-source implementations of CFML engines are available, including Adobe ColdFusion, Lucee, New Atlanta BlueDragon (who offer both a Java-based and a .NET-based version), Railo, and Open BlueDragon as well as other CFML server engines.
In this post, we will see several vulnerabilities pertaining to web applications, not unique to Coldfusion only. However, the mitigation techniques discussed are ColdFusion-specific.
By following best practices like validation, testing, code reviews, defence in depth, and the principle of least privilege, we can broaden the security across our applications.
Testing
It is always important to test code before it reaches a production server. Setting up a local or dedicated development environment is essential. Also, one can improve code quality more by writing software test cases.
MXUnit and TestBox are 2 popular testing frameworks you can leverage that was built by the ColdFusion community.
Code Reviews
Another way to improve overall security is by performing code reviews. Take time to specifically look for security vulnerabilities in your code. Utilize peer reviews or engage a third party to perform the review.
Having an independent party examine your code can sometimes reveal scenarios that the original developer didn’t consider.
Defence in Depth
When it comes to security, it never hurts to perform what may appear to be redundant security checks. Never assume that protections in one layer of the application are sufficient when additional defences can be added. Different types of defences may catch different classes of vulnerabilities. A Web Application Firewall (WAF) is a good example of defence in depth. A WAF sits in front of your application code and then logs or blocks malicious requests.
Principle of Least Privilege
The principle of least privilege is a foundational security pillar. The concept is to give the user minimal permission to do only the job at hand, and nothing more. It is important for the developer to fully understand the different roles of the system so that they can adhere to this principle.
What are CFML Vulnerabilities & Security Issues
ColdFusion is a popular web application development language, created and maintained by Adobe. Sadly, it’s also one of the least secure. If you are developing a new ColdFusion app or maintaining a legacy code base, there are a few areas you may want to review to make sure you’re not opening yourself up to unexpected risks.
Coldfusion Risks
Every development language has its own set of pitfalls and vulnerabilities. Unfortunately, ColdFusion is particularly vulnerable to some common attacks.
Adobe has never been known for having a strong security culture and as ColdFusion has grown under its wings, security controls have fallen behind.
Specifically, ColdFusion is vulnerable to login bypass exploits in all of the recent release versions (v6-v10). The details shift slightly between versions, but exploits for these vulnerabilities are widely documented and can be exploited using freely available scripts.
Similarly, ColdFusion has a number of file-disclosure weaknesses that can be exploited to obtain password hashes and other sensitive data from the system. Since administrative access to the Coldfusion console can allow an attacker to upload a web shell, this attack opens the doors to a more sophisticated compromise.
Options
From a security standpoint, the ideal solution may be to abandon ColdFusion as a development platform. But this may only be realistic if you’ve not yet begun a project or were already planning a move. For some businesses, the benefit outweighs the hassle of migrating to a new development language.
If you’re dedicated to using ColdFusion, these basic 5 security practices will help keep you protected.
Patching your code to use the latest version of the language will address many of the documented exploits and help you stay in front of new vulnerabilities.
2. You’ll have to weigh the impact of patches on your development process, but in most cases, the benefit of keeping your code base patched will outweigh operational risks.
3. IP whitelisting and similar techniques may also come into play if they are feasible in your environment.
4. Depending on your situation, it may be a good idea to have an application penetration test performed against your ColdFusion server and applications.
5. A penetration test will uncover both ColdFusion-specific issues as well as general security vulnerabilities you may not have caught with your own reviews.
This security assessment provides you with specific remediation steps your development team can address, as well as an executive summary for IT management.
List of CFML Vulnerabilities & Security Issues Detected by HackMyCF
This list is updated frequently as we detect more issues, also note that we can’t detect these issues in all cases on all servers, even if the issue has not been patched yet.
Jakarta Virtual Directory Exposed – The /jakarta virtual directory (which is required by CF10+ on Tomcat/IIS) is serving files such as isapi_redirect.properties or isapi_redirect.log. The only URI that should be served is /jakarta/isapi_redirect.dll – you can use Request Filtering to block.
Bitcoin Miner Discovered – Found files in /CFIDE that match the signature of a bitcoin miner exploit. Look for /CFIDE/m /CFIDE/m32 /CFIDE/m64 and /CFIDE/updates.cfm among others.
Hotfix APSB11-14 Not Installed – Apply the hotfixes located in Adobe Security Notice apsb11-14.
Railo Security Issue 2635 – Input of Chr(0) to the ReplaceList function can cause an infinite loop/crash. Fixed in Version 4.1.1.008
XSS Injection in cfform.js – A document.write call was found in your /CFIDE/scripts/cfform.js file, an attacker may be injecting a javascript, please check your cfform.js file.
Executable found in CFIDE – Found executable file(s) in /CFIDE with one of the following file extensions: dll, exe, bat, sh
Heartbleed Vulnerability Detected – The heartbleed vulnerability is a bug in OpenSSL (the crypto library used by Apache, NGinx, and others) that can allow the leakage of private keys used for TLS/SSL encryption.
OpenBD AdminAPI Exposed to the Public – The /bluedragon/adminapi/ directory is open to the public it should be locked down to prevent exploit.
Security Hotfix APSB12-26 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB12-26 was not found to be installed on your server. This hotfix resolves a sandbox permission issue.
Security Hotfix APSB17-30 Not Installed Or Partially Installed – The security hotfix referenced in Adobe Security Bulletin APSB17-30 was not found to be fully installed on your server. For the hotfix to be effective you must have Java 8 update 121 or greater installed. This hotfix resolves two critical vulnerabilities CVE-2017-11286 and CVE-2017-11283 / CVE-2017-11284 and one important vulnerability CVE-2017-11285. The issues are resolved in ColdFusion 11 Update 13+ and ColdFusion 2016 Update 5+ with Java 8 update 121 or greater.
ColdFusion Example Applications Installed – The ColdFusion example applications are installed at /cfdocs/exampleapps/ or /CFIDE/gettingstarted/, they should not be installed on a production server.
Svn Hidden Directory Exposed – A request for /.svn/text-base/index.cfm.svn-base appears to resolve to a subversion repository, which could lead to source code disclosure. Please block .svn/
Solr Search Service Exposed – CVE-2010-0185 detected. ColdFusion 9 Apache Solr services are exposed to the public. Any data in solr search collections may be exposed to the public. Follow the instructions in APSB10-04 to remedy, or upgrade to ColdFusion 9.0.1.
TLS Compression Supported – TLS Compression should be disabled due to the CRIME TLS vulnerability.
Security Hotfix APSB11-04 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB11-04 was not found to be installed on your server. This hotfix also contains most prior security hotfixes.
Git Hidden Directory Exposed – A request for /.git/config appears to resolve to a git repository, which could lead to source code disclosure. Please block .git/
Cross-Site Scripting Vulnerability CVE-2011-4368 – CVE-2011-4368 detected. Apply the hotfix located in Adobe Security Notice apsb11-29.
JVM Vulnerable to Java Null Byte Injection – The JVM that you are running is vulnerable to null byte injections (or null byte poisoning) in java.io file operations. Java 1.7.0_40+ or 1.8+ attempts to mitigate null byte injection attacks.
Java 11 Security Update Available – The JVM that you are running contains security vulnerabilities that could be exploited in server-side environments. Update to the latest version of Java 11. Note that Oracle Java 11 requires a commercial license. Adobe CF customers can download Oracle Java 11 from the ColdFusion Downloads Page. You can also use OpenJDK, Amazon Corretto, or other non-oracle JVMs for free.
Security Hotfix APSB19-10 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB19-10 was not found to be installed on your server. This hotfix resolves 2 issues, one important (CVE-2019-7092) and one critical (CVE-2019-7091). The issues are resolved in ColdFusion 11 Update 16+ ColdFusion 2016 Update 8+ and ColdFusion 2018 Update 2+. For all security fixes to be effective you should also have Java 8 update 121 or greater installed.
Cross-Site Scripting Vulnerability CVE-2011-0583 – CVE-2011-0583 detected. Apply the hotfixes located in Adobe Security Notice apsb11-04. The detection of this vulnerability also indicates to a high degree of likelihood that the following vulnerabilities may also exist: CVE-2011-0580, CVE-2011-0581, CVE-2011-0582, CVE-2011-0584
Apache 2.2 Security Update Available – The version of Apache you are running does not contain the most recent security fixes.
BlaseDS/AMF External XML Entity Injection – CVE-2009-3960 detected. You must apply the hotfix specified in Adobe Security Bulliten APSB10-05, otherwise, an attacker can read any file on the server that ColdFusion has permission to read. You need to do this even if you don’t use BlaseDS or Flash Remoting because it is enabled in CF by default.
SSL Version 2 Enabled – Your Web Server is accepting SSL V2 connections, a weak protocol. For PCI compliance, and strong security you must disable this protocol on your web server. TLS v.3 is in current use and if you want to update your current TLS version, then buy SSL certificate with an upgraded TLS version and secure the website and software as per your requirement.
Missing Strict-Transport-Security Header – This domain supports HTTPS but does not send the HTTP Strict-Transport-Security response header (HSTS) to force HTTPS.
The /CFIDE/scripts directory is in the default location. – Consider changing the default location of /CFIDE/scripts/ by changing the value of the Default Script Src setting in the ColdFusion Administrator.
Recalled Hotfix 10.0.3 Installed – You are running ColdFusion 10.0.3 which has been recalled by adobe due to bugs in the release. Please install the latest 10.0 hotfix.
ComponentUtils Exposed to the Public – The /CFIDE/componentutils/ directory is open to the public it should be locked down to prevent exploit.
ColdFusion Update Available – You may not be running the latest version of ColdFusion 8, consider updating to ColdFusion 8.0.1
Security Hotfix APSB13-10 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB13-10 was not found on your server. This hotfix resolves authentication issues that could allow an attacker to impersonate a user in your application or a ColdFusion Administrator.
CVE-2010-2861 Detected – Path Traversal Vulnerability detected (CVE-2010-2861 APSB10-18), this allows an attacker to read any file on the servers file system that ColdFusion has access to (within the same drive on windows).
Security Hotfix APSB13-19 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB13-19 was not found on your server.
Security Hotfix APSB12-15 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB12-15 was not found to be installed on your server. This hotfix resolves a HTTP response splitting vulnerability in the ColdFusion Component Browser CVE-2012-2041.
Security Hotfix APSB16-16 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB16-16 was not found to be installed on your server. This hotfix addresses an XSS issue, a Java Deserialization Vulnerability and a TLS Hostname verification issue. This issue is fixed in ColdFusion 10 Update 19+, ColdFusion 11 Update 8+, and ColdFusion 2016 Update 1+
Vulnerable PageSpeed Module – The Version of PageSpeed Module you are using may be vulnerable to one or more vulnerabilities. Update your PageSpeed web server module to the latest version to resolve.
TLS 1.2 Is Not Enabled – Configure your server to accept TLS 1.2 connections for optimal HTTPS security. Note for IIS you must be running Windows 2008r2 or greater for TLS 1.2 support. You can use our IIS SSL / TLS configuration tool to toggle protocol support on your server.
Java 13 EOL – Java 13 has reached the end of life at the release of Java 14. It is not an LTS (Long Term Support Version), you can use Java 11 for LTS.
Lucee Security Issue 2015-08-06 – Lucee fixed an XSS issue in version 4.5.1.023. This issue remains unpatched in Railo.
Jetty Vulnerabilities – The version of Jetty you are running contains known security vulnerabilities.
Railo Security Issue 2508 – A Path Traversal Bug in Railo 4 Admin. Fixed in Versions 4.1.1.000 and 4.0.5.004
Security Hotfix APSB13-19 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB13-19 was not found on your server. This hotfix resolves a remote code execution issue over WebSockets.
Unsupported ColdFusion Version – The version of ColdFusion that you are running is no longer supported by Adobe. Security patches are no longer issued for this version. Upgrade to ColdFusion 11 or greater.
SSL Version 3 Enabled – Your Web Server is accepting SSL V3 connections, vulnerable to the POODLE (CVE-2014-3566) attack. Consider disabling this protocol, which may impact old clients such as IE6 on Windows XP. Disabling SSLv3 may also impact server-side HTTPS clients (that consume your web services or APIs), and potentially bots/crawlers. You can use our IIS SSL tool to disable SSLv3 on IIS: https://foundeo.com/products/iis-weak-ssl-ciphers/
File Upload Vulnerability in CF8 FCKeditor – The cf5_upload.cfm and cf5_connector.cfm files must be deleted. If not you may allow a remote user to upload a CFM file to the server. The apsb09-09 hotfix was not applied or all steps were not completed.
ColdFusion Debug Output Enabled – Debugging output should not be enabled for all IPs on a production server. This may also lead to some false positives in your report. Login to the ColdFusion Administrator to disable it.
Vulnerability in Railo Version – The version of Railo you are using contains known security vulnerabilities, please update to the latest version.
Hotfix Version Number Mismatch – We detected a possible problem with the installation of a hotfix. The ColdFusion server version number does not match the jar file version number. This can happen if the installation is not fully complete. Please contact us if you have any questions.
ColdFusion Update Available – You may not be running the latest version of ColdFusion 6, consider updating to ColdFusion MX 6.1
CFTOKEN is not a UUID – CFTOKEN should be set to use a UUID in the ColdFusion Administrator. Session ids may be very easy to guess if UUID’s are not used.
Tomcat CVE-2016-3092 Vulnerability – You are running Tomcat 7.0.68 (bundled with ColdFusion 10/11) or Tomcat 8.0.32 (bundled with ColdFusion 2016) which includes a class that is vulnerable to a Denial of Service attack. According to Adobe, ‘CF is not impacted with CVE-2016-3092’, however, if your code makes use of the Java classes in the package org.apache.tomcat.util.http.fileupload (unlikely) you may still be impacted.
Session Cookies are not marked HTTPOnly – Using HTTPOnly cookies prevents the session cookies from being hijacked via a javascript XSS attack on modern browsers.
Robust Exception Information is Enabled – Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure
Lucee Server Context is Public – The URI /lucee-server/ is open to the public and should be blocked.
Cross-Site Scripting Vulnerability CVE-2007-0817 – CVE-2007-0817 detected. If you are running CF 7 or below apply the hotfixes located in Adobe Security Notice APSB07-04. Otherwise, if you have a custom 404 handler, ensure that it is not outputting the user agent without properly encoding it.
Security Hotfix APSB16-30 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB16-30 was not found to be installed on your server. These hotfixes resolve a critical vulnerability that could lead to information disclosure (CVE-2016-4264). The issue is resolved in ColdFusion 10 Update 21+ and ColdFusion 11 Update 10+
Security Hotfix APSB19-27 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB19-27 was not found to be installed on your server. This hotfix resolves three critical (CVE-2019-7838, CVE-2019-7839, CVE-2019-7840 ) issues. The issues are resolved in ColdFusion 11 Update 19+ ColdFusion 2016 Update 11+ and ColdFusion 2018 Update 4+.
JVM Security Update Available – The JVM that you are running is EOL and may contain security vulnerabilities that could be exploited in server-side environments. Update to the latest supported version of Java. Support for Java 11 on CF2018 arrived in ColdFusion 2018 Update 2.
PageSpeed Module Version Disclosure – The Version of PageSpeed Module you are using is being returned via an X-Page-Speed response header. Attackers can easily use the version number to determine if any unpatched vulnerabilities exist.
Security Hotfix APSB18-33 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB18-33 was not found to be installed on your server. This hotfix resolves 6 critical issues, one moderate and two important vulnerabilities. The issues are resolved in ColdFusion 11 Update 15+ ColdFusion 2016 Update 7+ and ColdFusion 2018 Update 1. For all security fixes to be effective you should also have Java 8 update 121 or greater installed.
Server Header Version Disclosure – The HTTP Server header is disclosing version numbers. An attacker may use this to identify your server as vulnerabilities become known matching the version you are using.
Railo Server Context is Public – The URI /railo-server-context/ is open to the public and should be blocked.
Cross-Site Scripting Vulnerability CVE-2010-1293 – CVE-2010-1293 detected. Apply the hotfixes located in Adobe Security Notice apsb10-11
Probe Unable to Check Hotfix Directory – Due to an error (permissions or configuration), the probe was not able to read the lib/updates directory. Please login and click Test Probe or contact us for more info.
ColdFusion Administrator is Public – ColdFusion Administrator should be restricted by IP or blocked with Web Server password protection. Also, consider requiring an SSL connection.
Java Security Update Available – The JVM that you are running contains security vulnerabilities that could be exploited in server-side environments. Update to the latest supported version of Java for your CFML Server. Note that Oracle Java requires a commercial license. Adobe CF customers can download Oracle Java 11 from the ColdFusion Downloads Page. You can also use OpenJDK, Amazon Corretto, or other non-oracle JVMs for free.
Certificate Signature Uses SHA1 – Your SSL Certificate is signed using a SHA1 signature, which is considered weak. You may see security errors or warnings in Chrome.
Security Hotfix APSB12-06 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB12-06 was not found to be installed on your server.
Security Hotfix APSB14-23 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB14-23 was not found on your server. This hotfix addresses a ColdFusion Administrator Authentication issue, an XSS issue, and an XSRF issue.
Robust Exception Information is Enabled – Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure
JVM Security Update Available – The JVM version you are running does not contain the latest security patches. Adobe and Oracle recommend that you run the latest patched version of Java 1.8 on CF11+. Java 1.6 has reached the end of life and Oracle may not be providing fixes for future issues. If you are running CF8 or below you, only Java 6 was supported. You may be able to get Java 1.8 working on older versions of ColdFusion but it may cause certain features not to work (typically SOAP web services).
Cross-Site Scripting Vulnerability CVE-2009-1877 – CVE-2009-1877 detected. Apply the hotfixes located in Adobe Security Notice apsb09-12. If you are running CF11+ Make sure you have applied the latest hotfixes and blocked /CFIDE/debug/ on your web server.
Security Hotfix APSB19-58 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB19-58 was not found to be installed on your server. This hotfix resolves an important (CVE-2019-8256) issue. Insecure inherited permissions of the default installation directory. According to Adobe ‘Customers who have followed the lockdown procedures during installation are not impacted by this issue and ‘Users on the non-Windows platform need not apply this update. This issue is resolved in ColdFusion 2018 Update 7+.
JVM Security Update Available – The JVM that you are running contains security vulnerabilities that could be exploited in server-side environments. Java 7 is EOL as of April 2015, upgrade to Java 8 if possible. Java 8 is not supported by CF9 or below.
Tomcat 7 Vulnerability – The version of Tomcat 7 you are running contains security vulnerabilities that are fixed in Tomcat Version 7.0.105 or greater.
Railo Security Issue 2773 – The version of railo you are using does not set the HTTPOnly flag on client cookies. Fixed in Version 4.2.0.000 and 4.1.2.005
Security Hotfix APSB13-03 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB13-03 was not found on your server. This hotfix resolves authentication issues that could allow an attacker to take control of your server.
Web Server Connector Update – It appears that the web server connector is not the latest version. Apply any missing ColdFusion hotfixes and then use wsconfig to update the connector.
OpenSSL Record of Death CVE-2010-0740 – CVE-2010-0740 detected. The version of OpenSSL you are running (version 0.9.8f through 0.9.8m) allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection.
Robust Exception Information is Enabled – Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure. This can also be triggered if you have a custom error handler that is disclosing too much information.
Railo Contains Unpatched Security Vulnerabilities Fixed in Lucee – The Railo project has not released an update in over a year. The source code for Railo has been forked into a new project called Lucee. There have been several security vulnerabilities fixed in Lucee that also existed in Railo, but remain unpatched in Railo. Because of this, we do not recommend using Railo at this time, upgrade to Lucee instead.
Security Hotfix APSB15-29 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB15-29 was not found to be installed on your server. This hotfix addresses a reflected XSS issue and a request forgery issue in BlazeDS. This issue is fixed in ColdFusion 10 Update 18+ and ColdFusion 11 Update 7+
Tomcat 7 Vulnerability – The version of Tomcat 7 you are running contains security vulnerabilities that are fixed in Tomcat Version 7.0.105 or greater. If you are running Adobe ColdFusion 11, updates 15-18 will only patch Tomcat to version 7.0.90. CF11 is EOL so no more patches will be released. CF10 also ships with Tomcat 7 and is EOL, it can only be updated to Tomcat 7.0.75 by installing update 23, do not expect future updates for CF10 or CF11.
JVM Security Update Available – The JVM that you are running contains security vulnerabilities that could be exploited in server-side environments. Update to the latest version of Java 1.8 or Java 11 (if supported).
RDS may be Enabled – RDS may be enabled on your server (due to a change in recent CF versions we can no longer detect if it is on or off, however, we have detected that the RDSServlet URI is responding to requests). We recommend that you block the URI /CFIDE/main/ide.cfm and/or remove the Servlet Mapping in web.xml to prevent unnecessary access to the RDSServlet.
ColdFusion 10 Mandatory Update Not Installed – The ColdFusion 10 Mandatory Update, updates the Adobe code signing certificate, the old certificate is marked to be revoked on October 4, 2012. Any hotfix update installed after that date will fail.
Security Hotfix APSB20-18 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB20-18 was not found to be installed on your server. This hotfix resolves three important (CVE-2020-3767, CVE-2020-3768, CVE-2020-3796) issues. Insufficient input validation causes an Application-level denial-of-service (DoS), DLL search-order hijacking causing Privilege escalation, and Improper access control allowing System file structure disclosure. These issues are resolved in ColdFusion 2018 Update 9+ and ColdFusion 2016 Update 15+
Lucee Security Issue 2015-10-20 – Lucee fixed an XSS vulnerability in the default error and debug templates. This issue is fixed in Lucee 4.5.1.024+ 4.5.2.017+ and 5.0.0.98+
Railo Administrator is Public – Railo Administrator should be restricted by IP or blocked with Web Server password protection. Also, consider requiring an SSL connection.
The JVM is Running under Privileged User Account – The JVM process is running under a system administrative account (eg SYSTEM, Administrator, or root). ColdFusion should be running under an unprivileged user account.
AdminAPI Exposed to the Public – The /CFIDE/adminapi/ directory is open to the public it should be locked down to prevent exploit.
Tomcat 9 Vulnerability – The version of Tomcat 9 you are running contains security vulnerabilities that are fixed in Tomcat Version 9.0.37 or greater. Adobe ColdFusion 2018 users: Update 10 will only update Tomcat to version 9.0.21. Adobe typically updates Tomcat in their patches, and we do expect that a future ColdFusion 2018 hotfix will also update Tomcat. Lucee users should update Tomcat manually.
Lucee JSON Vulnerability LDEV-992 – A vulnerability in the deserializeJSON and isJSON functions allow for information disclosure. Fixed in Lucee 4.5.3.020+, 4.5.2.013+, 5.0.0.254+, 5.0.1.53+
JVM Security Update Available – The JVM that you are running is EOL and may contain security vulnerabilities that could be exploited in server-side environments. Update to the latest version of Java supported by your CFML server.
Hotfix APSB11-29 Not Installed – Apply the hotfixes located in Adobe Security Notice apsb11-29.
Security Hotfix APSB16-22 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB16-22 was not found to be installed on your server. This hotfix addresses an input validation issue that could result in reflected XSS. The issue is resolved in ColdFusion 10 Update 20+, ColdFusion 11 Update 9+, and ColdFusion 2016 Update 2+
Security Hotfix APSB13-13 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB13-13 was not found on your server. This hotfix addresses a vulnerability (CVE-2013-1389) that could allow remote arbitrary code execution on a system running ColdFusion and a vulnerability (CVE-2013-3336) that could permit an unauthorized user to remotely retrieve files stored on the server.
LogJam: DH Group Smaller than 2048 Supported – Your server supports a DH Group Size smaller than 2048 bits. It is recommended to use a unique 2048-bit Diffie-Hellman group. Note that Java 1.7 and below cannot connect to servers (eg with CFHTTP) using a DH group size larger than 1024.
Lucee Docs are Public – Your website is serving docs for lucee at /lucee/doc.cfm or /lucee/doc/index.cfm allow only necessary requests under the /lucee/ URI
The /cf_scripts/scripts directory is in default location. – Consider changing the default location of /cf_scripts/scripts/ or /cfscripts_2018/ by changing the value of the Default Script Src setting in the ColdFusion Administrator.
ColdFusion Update Available – You may not be running the latest version of ColdFusion 7, update to ColdFusion 7 Update 2: Version 7.0.2 Update to ColdFusion 7.0.2 and apply Cumulative Hot Fix 3 for additional security fixes.
Security Hotfix APSB19-14 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB19-14 was not found to be installed on your server. This hotfix resolves one critical (CVE-2019-7816) issue. The issues are resolved in ColdFusion 11 Update 18+ ColdFusion 2016 Update 10+ and ColdFusion 2018 Update 3+. For all security fixes to be effective you should also have Java 8 update 121 or greater installed.
Security Hotfix APSB19-47 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB19-47 was not found to be installed on your server. This hotfix resolves two critical (CVE-2019-8073, CVE-2019-8074) issues, and one important issue (CVE-2019-8072). These issues are resolved in ColdFusion 2016 Update 12+ and ColdFusion 2018 Update 5+.
Server is returning exception-message header – The default error handler for Railo or Lucee will return an HTTP response header called exception-message with the exception error message. This header may contain information that should not be disclosed to the public such as file system paths or other information that should not be disclosed. Railo 4.2.1.004 partially fixes this by default. Configure your web server to remove or overwrite this header.
The /CFIDE/debug/ directory is Exposed to the Public – The /CFIDE/debug/ directory is open to the public it should be locked down to prevent exploit. You can use Request Filtering on IIS or RedirectMatch on Apache
SSL Certificate Expires Soon – Your SSL certificate will expire soon, please make sure you renew it.
Security Hotfix APSB18-14 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB18-14 was not found to be installed on your server. This hotfix resolves two critical (CVE-2018-4939, CVE-2018-4942), and three important (CVE-2018-4938, CVE-2018-4940, CVE-2018-4941) vulnerabilities. The issues are resolved in ColdFusion 11 Update 14+ and ColdFusion 2016 Update 6+. For the security fix to be effective you should also have Java 8 update 121 or greater installed.
IIS Detailed Error Messages are Enabled – IIS Detailed Error messages disclose a lot of information about the server, such as file paths, usernames, modules and more. Go in IIS and click on Error Pages then Edit Feature Settings. You can set it to Custom Error Pages, or Detailed errors for local requests and custom error pages for remote requests which allows you to see the detailed error pages only from localhost.
Java 12 is EOL – The JVM that you are running has reached the end of its life and may contain security vulnerabilities that could be exploited in server-side environments. Update to the latest version of Java 13 instead.
File Upload Vulnerability in CF8 FCKeditor – FCKeditor file upload connector appears to be enabled. This would allow any remote user to upload files to your server.
Server Software Disclosure – Your web server responds to each request with an unnecessary HTTP header X-Powered-By which contains information about software installed on the server. This information may be used to target your site as vulnerabilities become known.
SSL Certificate Expired – Your SSL Certificate has expired.
Undertow Vulnerability – The version of Undertow you are running contains security vulnerabilities that are fixed in Undertow 2.0.23 and greater or Undertow 1.4.28 and greater. Undertow is a JEE Servlet engine most commonly used in CFML with CommandBox. To update Undertow make sure you are running the latest version of CommandBox.
Exposed _mmServerScripts – You have a _mmServerScripts folder from Dreamweaver that allows remote execution. This creates information disclosure and also possibly allows remote SQL execution. Delete all _mmServerScript folders.
Security Hotfix APSB20-16 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB20-16 was not found to be installed on your server. This hotfix resolves two critical (CVE-2020-3761, CVE-2020-3794) issues. Arbitrary file read from the Coldfusion install directory and Arbitrary code execution of files located in the webroot or its subdirectory. These vulnerabilities appear to be related to the Tomcat Ghostcat vulnerability. These issues are resolved in ColdFusion 2018 Update 8+ and ColdFusion 2016 Update 14+
Tomcat 8 Vulnerability – The version of Tomcat 8 you are running contains security vulnerabilities that are fixed in Tomcat Version 8.5.56 or greater. Adobe ColdFusion 2016 users: we expect that the next ColdFusion hotfix will also patch Tomcat. Lucee users should update Tomcat manually. Tomcat 8.0 has reached End of Life and should be updated to the latest 8.5.x version.
Security Hotfix APSB13-27 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB13-27 was not found on your server. This hotfix addresses an XSS vulnerability (CVE-2013-5326) on CF9 and CF10, and an unauthorized remote read access vulnerability in CF10.
RemoteShell Backdoor Discovered – Found a remote shell backdoor cfm script in /CFIDE directory. Please inspect the directory for files that should not be there.
Cross-Site Scripting Vulnerability CVE-2009-1872 – CVE-2009-1872 detected. Apply the hotfixes located in Adobe Security Notice apsb09-12
Apache Double Encoded Null Byte Vulnerability – CVE-2009-1876 detected. Apply the Apache wsconfig.jar hotfix in Adobe Security Notice apsb09-12. This hotfix is only required for ColdFusion servers using the Apache Web Server.
Backdoor Discovered – Found /CFIDE/h.cfm that matched the signature of a backdoor script capable of manipulating the file system, running executables and running database queries remotely. Your server appears to have been compromised by an attacker.
Hotfix Install Error Detected – We detected a problem with the installation of your hotfix. Please confirm that you have followed all steps. You may have forgotten to delete a jar file for example. Feel free to contact us if you are unsure what the problem is.
OpenSSL Security Update Available – The version of OpenSSL you are running does not contain the most recent security fixes.
WEB-INF is Exposed – A request for /WEB-INF/web.xml returned the contents of the file. The WEB-INF directory is necessary for ColdFusion to function, but should not be public (it may contain passwords or other system information).
Security Hotfix APSB20-43 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB20-43 was not found to be installed on your server. This hotfix resolves two important (CVE-2020-9672, CVE-2020-9673) issues. This hotfix resolves multiple DLL search-order hijacking vulnerabilities that could lead to privilege escalation. These issues are resolved in ColdFusion 2018 Update 10 or later and ColdFusion 2016 Update 16 or later.
JVM DOS Vulnerability CVE-2010-4476 Detected – The JVM version you are using is vulnerable to a Denial of Service Attack. This issue has been fixed in Java Version 1.6.0_24, you should install the latest version of Java 1.6 or Java 1.7 (if on CF9 or greater)
Lucee Invalid Cookie name DOS 2015-05-28 – An invalid cookie name can cause a stacktrace and potentially crash Tomcat. Fixed in Lucee 4.5.1.016 and 5.0.0.50. Not fixed in Railo to date.
File Upload Vulnerability in FCKeditor – FCKeditor file upload connector appears to be enabled on standalone install at /FCKeditor/. This would allow any remote user to upload files to your server.
OpenBD Administrator is Exposed – The /bluedragon/administrator/ directory is open to the public it should be locked down to prevent exploit.
Security Hotfix APSB17-14 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB17-14 was not found to be installed on your server. This hotfix resolves two important vulnerabilities CVE-2017-3008 and CVE-2017-3066. The issues are resolved in ColdFusion 10 Update 23+ ColdFusion 11 Update 12+ and ColdFusion 2016 Update 4.
ColdFusion Documentation Public – The ColdFusion Server Documentation is public at /cfdocs/dochome.htm this identifies the ColdFusion server version you are using.
Tomcat 10 Vulnerability – The version of Tomcat 10 you are running contains security vulnerabilities that are fixed in Tomcat Version 10.0.0M7 or greater.
Security Hotfix APSB12-25 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB12-25 was not found to be installed on your server. This hotfix resolves a DOS vulnerability CVE-2012-5674.
Security Hotfix APSB15-07 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB15-07 was not found to be installed on your server. This hotfix addresses an input validation issue that could be used in a reflected cross-site scripting attack. This issue is fixed in ColdFusion 10 Update 16+ and ColdFusion 11 Update 5+
JSON Prefix is disabled – The Prefix serialized JSON with: // setting is not enabled in the ColdFusion Administrator. This is recommended for preventing JSON hijacking.
Security Hotfix APSB14-29 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB14-29 was not found to be installed on your server. This hotfix addresses a Denial of Service vulnerability.
Railo Path Traversal Vulnerability – A Path Traversal issue exists in the Railo Admin. Fixed in Versions 4.2.1.003 and 4.1.3.006.
Security Hotfix APSB12-21 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB12-21 was not found to be installed on your server. This hotfix resolves a DOS vulnerability CVE-2012-2048.
Security Hotfix APSB15-21 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB15-21 was not found to be installed on your server. This hotfix addresses an information disclosure issue via external XML entities in BlaseDS. This issue is fixed in ColdFusion 10 Update 17+ and ColdFusion 11 Update 6+
Lucee Security Issue 2015-07-03 – Lucee fixed an unspecified security issue, characterized as ‘very important in version 4.5.1.022.
OpenSSL CCS Injection CVE-2014-0224 – CVE-2014-0224 detected. The version of OpenSSL you are running appears to be vulnerable to CCS Injection.
LogJam: DH Group Uses a common prime. – Your HTTPS server is configured to use a common 1024bit prime. Security researchers estimate that a nation-state could break the encryption on servers with a common 1024-bit DH group prime.
Lucee Administrator is Public – Lucee Administrator should be restricted by IP or blocked with Web Server password protection. Also, consider requiring an SSL connection.
ColdFusion 9 Update Available – You may not be running the latest version of ColdFusion 9, consider updating to ColdFusion 9.0.1
SSL Certificate Public Key Below 2048 Bits – Your SSL certificate public key is below 2048 bits, consider making a new certificate signing request (CSR) and rekey your certificate with 2048 bit key or larger.
FAQ
Q1. How much does ColdFusion cost?
Ans- Adobe ColdFusion (2021 release) is sold in two editions: Standard Edition costs US$2,499 per two cores, and Enterprise Edition costs US$9,499 per eight cores. ColdFusion can also be used for development at no cost with the complimentary Developer Edition, a full-featured server for development use only.
Q2. What is ColdFusionMX?
Ans- ColdFusion MX is a powerful web application server that lets you create robust sites and applications without a long learning curve. ColdFusion MX does not require coding in traditional programming languages (for example, C/C++, Java, XML), although it supports these traditional programming languages.
Share
11 comments