This list is updated frequently as we detect more issues, also note that we can’t detect these issues in all cases on all servers, even if the issue has not been patched yet. Here are some CFML Vulnerabilities & Security Issues that you might have faced-
Jakarta Virtual Directory Exposed – The /jakarta virtual directory (which is required by CF10+ on Tomcat/IIS) is serving files such as isapi_redirect.properties or isapi_redirect.log. The only URI that should be served is /jakarta/isapi_redirect.dll – you can use Request Filtering to block.
Bitcoin Miner Discovered – Found files in /CFIDE that match the signature of a bitcoin miner exploit. Look for /CFIDE/m /CFIDE/m32 /CFIDE/m64 and /CFIDE/updates.cfm among others.
Hotfix APSB11-14 Not Installed – Apply the hotfixes located in Adobe Security Notice apsb11-14.
Railo Security Issue 2635 – Input of Chr(0) to the ReplaceList function can cause infinate loop / crash. Fixed in Version 4.1.1.008
Executable found in CFIDE – Found executable file(s) in /CFIDE with one of the following file extensions: dll, exe, bat, sh
Heartbleed Vulnerability Detected – The heartbleed vulnerability is a bug in OpenSSL (the crypto library used by Apache, NGinx, and others) that can allow the leakage of private keys used for TLS/SSL encryption.
OpenBD AdminAPI Exposed to the Public – The /bluedragon/adminapi/ directory is open to the public it should be locked down to prevent exploit.
Security Hotfix APSB12-26 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB12-26 was not found to be installed on your server. This hotfix resolves a sandbox permission issue.
Security Hotfix APSB17-30 Not Installed Or Partailly Installed – The security hotfix referenced in Adobe Security Bulletin APSB17-30 was not found to be fully installed on your server. For the hotfix to be effective you must have Java 8 update 121 or greater installed. This hotfix resolves two critical vulnerabilities CVE-2017-11286 and CVE-2017-11283 / CVE-2017-11284 and one important vulnerability CVE-2017-11285. The issues are resolved in ColdFusion 11 Update 13+ and ColdFusion 2016 Update 5+ with Java 8 update 121 or greater.
ColdFusion Example Applications Installed – The ColdFusion example applications are installed at /cfdocs/exampleapps/ or /CFIDE/gettingstarted/, they should not be installed on a production server.
Svn Hidden Directory Exposed – A request for /.svn/text-base/index.cfm.svn-base appears to resolve to a subversion repository, which could lead to source code disclosure. Please block .svn/
Solr Search Service Exposed – CVE-2010-0185 detected. ColdFusion 9 Apache Solr services are exposed to the public. Any data in solr search collections may be exposed to the public. Follow the instructions in APSB10-04 to remedy, or upgrade to ColdFusion 9.0.1.
TLS Compression Supported – TLS Compression should be disabled due to the CRIME TLS vulnerability.
Security Hotfix APSB11-04 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB11-04 was not found to be installed on your server. This hotfix also contains most prior security hotfixes.
Git Hidden Directory Exposed – A request for /.git/config appears to resolve to a git repository, wouch could lead to source code disclosure. Please block .git/
Cross Site Scripting Vulnerability CVE-2011-4368 – CVE-2011-4368 detected. Apply the hotfix located in Adobe Security Notice apsb11-29.
JVM Vulnerable to Java Null Byte Injection – The JVM that you are running is vulnerable to null byte injections (or null byte poisioning) in java.io file operations. Java 1.7.0_40+ or 1.8+ attempt to mitigate null byte injection attacks.
Java 11 Security Update Available – The JVM that you are running contains security vulnerabilities that could be exploited in server side environments. Update to the latest version of Java 11. Note that Oracle Java 11 requires a commercial license. Adobe CF customers can download Oracle Java 11 from the ColdFusion Downloads Page. You can also use OpenJDK, Amazon Corretto, or other non-oracle JVMs for free.
Security Hotfix APSB19-10 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB19-10 was not found to be installed on your server. This hotfix resolves 2 issues, one important (CVE-2019-7092) and one critical (CVE-2019-7091). The issues are resolved in ColdFusion 11 Update 16+ ColdFusion 2016 Update 8+ and ColdFusion 2018 Update 2+. For all security fixes to be effective you should also have Java 8 update 121 or greater installed.
Cross Site Scripting Vulnerability CVE-2011-0583 – CVE-2011-0583 detected. Apply the hotfixes located in Adobe Security Notice apsb11-04. The detection of this vulnerability also indicates to a high degree of likelihood that the following vulnerabilities may also exist: CVE-2011-0580, CVE-2011-0581, CVE-2011-0582, CVE-2011-0584
Apache 2.2 Security Update Available – The version of Apache you are running does not contain the most recent security fixes.
BlaseDS/AMF External XML Entity Injection – CVE-2009-3960 detected. You must apply the hotfix specified in Adobe Security Bulliten APSB10-05, otherwise an attacker can read any file on the server that ColdFusion has permission to read. You need to do this even if you don’t use BlaseDS or Flash Remoting because it is enabled in CF by default.
SSL Version 2 Enabled – Your Web Server is accepting SSL V2 connections, a weak protocol. For PCI compliance, and strong security you must disable this protocol on your web server.
Missing Strict-Transport-Security Header – This domain supports HTTPS but does not send the HTTP Strict-Transport-Security response header (HSTS) to force HTTPS.
The /CFIDE/scripts directory is in default location. – Consider changing the default location of /CFIDE/scripts/ by changing the value of the Default Script Src setting in the ColdFusion Administrator.
Recalled Hotfix 10.0.3 Installed – You are running ColdFusion 10.0.3 which has been recalled by adobe due to bugs in the release. Please install the latest 10.0 hotfix.
ComponentUtils Exposed to the Public – The /CFIDE/componentutils/ directory is open to the public it should be locked down to prevent exploit.
ColdFusion Update Available – You may not be running the latest version of ColdFusion 8, consider updating to ColdFusion 8.0.1
Security Hotfix APSB13-10 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB13-10 was not found on your server. This hotfix resolves authentication issues that could allow an attacker impersonate a user in your application, or a ColdFusion Administrator.
CVE-2010-2861 Detected – Path Traversal Vulnerability detected (CVE-2010-2861 APSB10-18), this allows an attacker to read any file on the servers file system that ColdFusion has access to (within the same drive on windows).
Security Hotfix APSB13-19 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB13-19 was not found on your server.
Security Hotfix APSB12-15 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB12-15 was not found to be installed on your server. This hotfix resolves a HTTP response splitting vulnerability in the ColdFusion Component Browser CVE-2012-2041.
Security Hotfix APSB16-16 Not Installed – The security hotfix referenced in Adobe Security Bulletin APSB16-16 was not found to be installed on your server. This hotfix addresses a XSS issue, a Java Deserialization Vulnerability and a TLS Hostname verification issue. This issue is fixed in ColdFusion 10 Update 19+, ColdFusion 11 Update 8+, and ColdFusion 2016 Update 1+
Vulnerable PageSpeed Module – The Version of PageSpeed Module you are using may be vulnerable to one or more vulnerabilities. Update your PageSpeed web server module to the latest version to resolve.
TLS 1.2 Is Not Enabled – Configure your server to accept TLS 1.2 connections for optimal HTTPS security. Note for IIS you must be running Windows 2008r2 or greater for TLS 1.2 support. You can use our IIS SSL / TLS configuration tool to toggle protocol support on your server.
Java 13 EOL – Java 13 has reached end of life at the release of Java 14. It is not a LTS (Long Term Support Version), you can use Java 11 for LTS.
Lucee Security Issue 2015-08-06 – Lucee fixed an XSS issue in version 4.5.1.023. This issue remains unpatched in Railo.
I need to know the best way to determine which coldfusion script running inside Jrun's singular instance is causing the file to be written to disk. I am about to override the java.io namespace, unless someone here has a better idea. And yes, I ran PowerGREP utility to scan all files for file write strings, such as: CFIDE.componentutils.cfcexplorer While I love coldfusion as a language, and I'll never tell anyone differently, the fact is I've been trying to move away from it for years for obvious reasons. But I was looking for a job for quite a while, and finally a place was interested, at least partially because I know coldfusion. So I got the job, and now I'm supporting a bunch of CF5 ... Coldfusion CFIDE bitcoin mining exploit – URL attack vectors. Posted on September 10, 2014 February 18, 2019 by thaddeus. The MinerD / m32.exe file, the MD5 HASH for the file confirms it to be a variant of miner daemon. (lightcoin / bitcoin mining daemon) 2014-03-13 08:20:44 W3SVC1313602513 XX.XXX.XXX.234 GET /CFIDE/administrator/enter.cfm – 443 – 18.104.22.168 WWW-Mechanize/1.73 200 0 0 ... Bitcoin Miner Discovered – Found files in /CFIDE that match the signature of a bitcoin miner exploit. Look for /CFIDE/m /CFIDE/m32 /CFIDE/m64 and /CFIDE/updates.cfm among others. Hotfix APSB11-14 Not Installed – Apply the hotfixes located in Adobe Security Notice apsb11-14. Railo Security Issue 2635 – Input of Chr(0) to the ReplaceList function can cause infinate loop / crash. Fixed in ... Hello on two CF8 Servers which we are running for several years I could see that recently we have two processes inside the Jrun4 folder cfusion82\\cfusion.ear\\cfusion.war\\CFIDE\\m32\\m32.exe and cfusion82\\cfusion.ear\\cfusion.war\\CFIDE\\m64\\m64.exe taking 100% of the CPU. Action appears randomly and occ...