Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Adobe ColdFusion 11 Security Technical Implementation Guide

  • Version/Release: V2R1
  • Published: 2021-06-22
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
a
ColdFusion must limit concurrent sessions to the Administrator Console.
AC-10 - Low - CCI-000054 - V-237137 - SV-237137r641506_rule
RMF Control
AC-10
Severity
Low
CCI
CCI-000054
Version
CF11-01-000001
Vuln IDs
  • V-237137
  • V-62075
Rule IDs
  • SV-237137r641506_rule
  • SV-76565
The ColdFusion Administrator Console is used to manage the ColdFusion application server. The console allows a user to configure settings used by hosted applications, maintain connections to external resources, review logs, etc. By disallowing concurrent logons, a user has a method to determine if his account has been comprised (The user will be unable to log into the Administrator Console.) and deters a user from having an open idle session from different work stations which can also be used by an attacker.
Checks: C-40356r641504_chk

Within the Administrator Console, navigate to the "Administrator" settings under the "Security" menu. If the setting "Allow concurrent login sessions for Administrator Console" is checked, this is a finding.

Fix: F-40319r641505_fix

Within the Administrator Console, navigate to the "Administrator" settings under the "Security" menu. To disable concurrent logins, uncheck the "Allow concurrent login sessions for Administrator Console" setting and select the "Submit Changes" button.

b
ColdFusion must use cryptography mechanisms to protect the integrity of data sent to the PDF Service.
AC-17 - Medium - CCI-001453 - V-237138 - SV-237138r641509_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-001453
Version
CF11-01-000004
Vuln IDs
  • V-237138
  • V-62349
Rule IDs
  • SV-237138r641509_rule
  • SV-76839
Protecting data being sent to the PDF Service for PDF document creation protects the data from being read or modified before the document is created and returned to the requesting application. This protection can be implemented by using https over the plaintext transport protocol of http.
Checks: C-40357r641507_chk

Access the "PDF Service" page under the "Data & Services" menu within the Administrator Console. If there are no PDF Service Managers defined, the finding is not applicable. If any PDF Service Managers listed have "Https Enabled" set to "NO", this is a finding.

Fix: F-40320r641508_fix

If there are no PDF Service Managers in use, the finding is not applicable. Access the "PDF Service" page under the "Data & Services" menu within the Administrator Console. Edit each service and check the "Https Enabled" option.

c
ColdFusion must implement cryptography mechanisms to protect the integrity of the remote access session.
AC-17 - High - CCI-001453 - V-237139 - SV-237139r641512_rule
RMF Control
AC-17
Severity
High
CCI
CCI-001453
Version
CF11-01-000005
Vuln IDs
  • V-237139
  • V-62351
Rule IDs
  • SV-237139r641512_rule
  • SV-76841
Protecting the data by not allowing unsecure non-FIPS 140-2 modules to be used and forcing FIPS 140-2 approved encryption modules limits the attack vector for an attacker. Several attacks, such as the POODLE attack and variants of the POODLE attack, take advantage of forcing an https communication to back down to an unsecure encryption module allowing the attacker to then read the encrypted data.
Checks: C-40358r641510_chk

Review the setting "JVM arguments" within the Administrator Console. These arguments can be found in the "Java and JVM" page accessed through the "Server Settings" menu option. The parameter -Dhttps.protocols is used to set the TLS versions that the JVM can use. Valid values for this setting must be TLS versions 1.0 or higher. An example setting to use TLS versions 1.2, 1.1 and 1.0 is -Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1 and an example to only use TLS version 1.2 is -Dhttps.protocols=TLSv1.2 If the "JVM arguments" setting does not contain the parameter -Dhttps.protocols or if the parameter -Dhttps.protocols contains any SSL versions, this is a finding.

Fix: F-40321r641511_fix

Navigate to the "JVM arguments" setting within the Administrator Console. These arguments can be found in the "Java and JVM" page accessed through the "Server Settings" menu option. Add the parameter -Dhttps.protocols and set the parameter to the TLS versions to be used. A sample setting to use TLSv1.2, TLSv1.1 and TLSv1 is - Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1. SSL versions must not be added to this parameter. Once the parameter is added to the JVM arguments, select the "Submit Changes" button to save the changes and restart the ColdFusion application server to have the changes take effect.

b
ColdFusion must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
AC-3 - Medium - CCI-000213 - V-237140 - SV-237140r641515_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
CF11-01-000007
Vuln IDs
  • V-237140
  • V-62353
Rule IDs
  • SV-237140r641515_rule
  • SV-76843
Controlling what a user can see or change is important within the ColdFusion application server. Allowing non-privileged users to change administrative type data can cause errors within the system or DoS situations. By forcing users to identify themselves and then tying roles to that identity, an individual is presented with only those options needed to perform their duties.
Checks: C-40359r641513_chk

Within the Administrator Console, navigate to the "User Manager" page under the "Security" menu. Review the roles assigned to each user against the ISSM approved list of user accounts and roles to determine if any user has excessive authorization. If any user has roles assigned that are not approved by the ISSM, this is a finding.

Fix: F-40322r641514_fix

Navigate to the "User Manager" page under the "Security" menu and review the roles assigned to each user. Enable only those roles for each user approved by the ISSO/ISSM.

b
ColdFusion must automatically terminate a user session after user inactivity.
AC-12 - Medium - CCI-002361 - V-237141 - SV-237141r641518_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002361
Version
CF11-01-000010
Vuln IDs
  • V-237141
  • V-62355
Rule IDs
  • SV-237141r641518_rule
  • SV-76845
An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a configured condition or trigger event is met. Such an event is user inactivity. ColdFusion offers an inactivity parameter that allows the setting of a system-wide timeout for sessions. If this parameter is set too large, the usefulness of the parameter is lost. Care must be taken to not allow sessions to be open longer than needed, but also not set so short that users are unable to use the hosted applications.
Checks: C-40360r641516_chk

Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu. If the "Session Variables" setting under the "Default Timeout" section is set greater than 15 minutes, this is a finding.

Fix: F-40323r641517_fix

Navigate to the "Memory Variables" page under the "Server Settings" menu. Set the "Session Variables" setting under the "Default Timeout" section to 15 minutes or less and select the "Submit Changes" button.

b
ColdFusion must set a maximum session time-out value.
AC-12 - Medium - CCI-002361 - V-237142 - SV-237142r641521_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002361
Version
CF11-01-000011
Vuln IDs
  • V-237142
  • V-62357
Rule IDs
  • SV-237142r641521_rule
  • SV-76847
An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a configured condition or trigger event is met. Such an event is user inactivity. ColdFusion offers an inactivity parameter that allows the setting system-wide for session timeout. ColdFusion also allows a developer to override the default timeout setting and set a new timeout. To control how large a developer can set the timeout to, a maximum setting is provided.
Checks: C-40361r641519_chk

Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu. If the "Session Variables" setting under the "Maximum Timeout" section is set greater than "1" hour, this is a finding.

Fix: F-40324r641520_fix

Navigate to the "Memory Variables" page under the "Server Settings" menu. Set the "Session Variables" setting under the "Maximum Timeout" section to "1" hour or less and select the "Submit Changes" button.

b
ColdFusion must control remote access to the Administrator Console.
AC-17 - Medium - CCI-002314 - V-237143 - SV-237143r641524_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-002314
Version
CF11-01-000016
Vuln IDs
  • V-237143
  • V-62359
Rule IDs
  • SV-237143r641524_rule
  • SV-76849
Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by logging connection activities of remote users. By default, localhost and all IP addresses can access the Administrator Console. Depending on the authentication method (i.e. single password, separate user name and password per user, or no authentication needed), any user from any network is capable of accessing the console and making changes to the server configuration relying only on the authentication method configured for the installation. By limiting the IP addresses that can connect, the administration console can be hosted to a management network and only accessed via that network, further reducing the exposure of the Administrator Console.
Checks: C-40362r641522_chk

Within the Administrator Console, navigate to the "Allowed IP Addresses" page under the "Security" menu. If the list of allowed IP addresses for accessing the ColdFusion Administrator is blank, is set to "*.*.*.*" or contains IP addresses/subnets that should not have access, this is a finding.

Fix: F-40325r641523_fix

Navigate to the "Allowed IP Addresses" page under the "Security" menu. Set the list of allowed IP addresses for accessing ColdFusion Administrator to only those IP addresses or subnets that should be capable of reaching the Administrator Console.

b
ColdFusion must control remote access to Exposed Services.
AC-17 - Medium - CCI-002314 - V-237144 - SV-237144r641527_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-002314
Version
CF11-01-000017
Vuln IDs
  • V-237144
  • V-62361
Rule IDs
  • SV-237144r641527_rule
  • SV-76851
ColdFusion exposes many existing services as web services. These services, such as cfpdf, cfmail, and cfpop, can be accessed by users and applications written in other languages and technologies than ColdFusion CFML. To invoke the services, the client must be on the allowed IP list and have a user account with the proper privileges to the exposed services. Exposing these services expands the security risk and potential for compromise of the ColdFusion application server. If a need arises for these services, then the list of allowed IP addresses must be specified and limited to only those requiring access.
Checks: C-40363r641525_chk

Within the Administrator Console, navigate to the "Allowed IP Addresses" page under the "Security" menu. If there are any entries in the "Allowed IP Addresses for Exposed Services" section, validate with the SA that the IP addresses and subnets specified require access. If any of the IP addresses or subnets specified do not require access, this is a finding.

Fix: F-40326r641526_fix

Navigate to the "Allowed IP Addresses" page under the "Security" menu. Remove all entries from the list under the "Allowed IP Addresses for Exposed Services" section that do not require access to ColdFusion services.

b
ColdFusion must control user access to Exposed Services.
AC-17 - Medium - CCI-002314 - V-237145 - SV-237145r641530_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-002314
Version
CF11-01-000018
Vuln IDs
  • V-237145
  • V-62363
Rule IDs
  • SV-237145r641530_rule
  • SV-76853
ColdFusion exposes many existing services as web services. These services, such as cfpdf, cfmail and cfpop, can be accessed by users and applications written in other languages and technologies than ColdFusion CFML. To invoke the services, the client must be on the allowed IP list and have a user account with the proper privileges to the exposed services. Exposing these services expands the security risk and potential for compromise of the ColdFusion application server. If a need arises for these services, then only those user accounts requiring access to perform the user's duties must be given access.
Checks: C-40364r641528_chk

Within the Administrator Console, navigate to the "User Manager" page under the "Security" menu. Review each defined user by using the edit function. For each user that has values for "Allowed Services", validate with the SA that the user should have remote access to each service. If there are any users with services that are not required to perform the users' duties, this is a finding.

Fix: F-40327r641529_fix

Navigate to the "User Manager" page under the "Security" menu. Only assign services to those users who require access and only assign those services that are required to perform the user's duties.

c
ColdFusion must require a username and password for access by each authorized user access.
AU-10 - High - CCI-000166 - V-237146 - SV-237146r641533_rule
RMF Control
AU-10
Severity
High
CCI
CCI-000166
Version
CF11-02-000030
Vuln IDs
  • V-237146
  • V-62365
Rule IDs
  • SV-237146r641533_rule
  • SV-76855
Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Enforcing non-repudiation of actions requires that each user be identified. Without this identification, events cannot be traced to a user, and a forensic investigation cannot be conducted to determine what exactly happened and who caused the event to occur. By forcing users to authenticate, each auditable event can be tied to a user, and a sequence of events for the user can be determined. This is critical when investigating an issue or an attack.
Checks: C-40365r641531_chk

Access the "Administrator" page under the "Security" menu within the Administrator Console. If the "Separate user name and password authentication" is not selected, this is a finding.

Fix: F-40328r641532_fix

Access the "Administrator" page under the "Security" menu within the Administrator Console. Select "Separate user name and password authentication" and select the "Submit Changes" button.

b
ColdFusion must require each user to authenticate with a unique account.
AU-10 - Medium - CCI-000166 - V-237147 - SV-237147r641536_rule
RMF Control
AU-10
Severity
Medium
CCI
CCI-000166
Version
CF11-02-000031
Vuln IDs
  • V-237147
  • V-62367
Rule IDs
  • SV-237147r641536_rule
  • SV-76857
Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Enforcing non-repudiation of actions requires that each user be uniquely identified. Without this identification, events cannot be traced to a particular user, and a forensic investigation cannot be conducted to determine what exactly happened and who caused the event to occur. By forcing each user to authenticate using a unique account, each auditable event can be tied to a user, and a sequence of events for the user can be determined. This is critical when investigating an issue or an attack.
Checks: C-40366r641534_chk

Review the users within the "User Manager" page under the "Security" menu. If users are not defined, this is a finding.

Fix: F-40329r641535_fix

Create user accounts within the "User Manager" page under the "Security" menu for those users that need access to the Administrator Console.

b
When ColdFusion is configured in a clustered configuration, ColdFusion must be configured to write log records from the clustered system components into a system-wide log trail that can be correlated.
AU-12 - Medium - CCI-000174 - V-237148 - SV-237148r641539_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000174
Version
CF11-02-000032
Vuln IDs
  • V-237148
  • V-62369
Rule IDs
  • SV-237148r641539_rule
  • SV-76859
Log generation and log records can be generated from various components within the application server. The list of logged events is the set of events for which logs are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating log records (e.g., logable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked). The events occurring must be time-correlated in order to conduct accurate forensic analysis. In addition, the correlation must meet certain tolerance criteria. For instance, DoD may define that the time stamps of different logged events must not differ by any amount greater than ten seconds. It is also acceptable for the application server to utilize an external logging tool that provides this capability.
Checks: C-40367r641537_chk

Determine if ColdFusion is part of a clustered environment by accessing the "Instance Manager" and the "Cluster Manager" settings under the "Enterprise Manager" menu within the Administrator Console. If ColdFusion is not setup in a clustered configuration, this finding is not applicable. Ask the SA if a log record aggregation tool is being used to compile the log records from the ColdFusion application servers within the cluster for storage and review. If the log records are not being aggregated, this is a finding.

Fix: F-40330r641538_fix

Implement a strategy to aggregate the log data from the ColdFusion application servers within the cluster for system-wide log trail storage and review.

b
ColdFusion must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which logable events are to be logged.
AU-12 - Medium - CCI-000171 - V-237149 - SV-237149r641542_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000171
Version
CF11-02-000034
Vuln IDs
  • V-237149
  • V-62371
Rule IDs
  • SV-237149r641542_rule
  • SV-76861
ColdFusion utilizes role-based access controls in order to specify those individuals who are able to configure logable events. Allowing users other than the ISSM and appointed individuals access to turn logged events on or off allows a user to mask their actions by disabling logging. By enabling excessive logging or by enabling debugging, a user can generate logged events containing information that can be used to later attack the system or gain access to Personally Identifiable Information (PII).
Checks: C-40368r641540_chk

Review the roles assigned to the defined users within the "User Manager" page under the "Security" menu. Only the ISSM, or users appointed by the ISSM to change logable events, may have the following roles: Debugging and Logging>Logging Debugging and Logging>Code Analyzer Debugging and Logging>Debugging Debugging and Logging>License Scanner Debugging and Logging>System Probes If any other users have any of these roles, then this is a finding.

Fix: F-40331r641541_fix

Navigate to the "User Manager" page under the "Security" menu and assign the following roles to the ISSM and users appointed by the ISSM to change logable events. Debugging and Logging>Logging Debugging and Logging>Code Analyzer Debugging and Logging>Debugging Debugging and Logging>License Scanner Debugging and Logging>System Probes

a
ColdFusion must log scheduled tasks.
AU-3 - Low - CCI-000132 - V-237150 - SV-237150r641545_rule
RMF Control
AU-3
Severity
Low
CCI
CCI-000132
Version
CF11-02-000040
Vuln IDs
  • V-237150
  • V-62373
Rule IDs
  • SV-237150r641545_rule
  • SV-76863
Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the application server where the events occurred is important during forensic analysis. To determine where an event occurred, the log data must contain data such as application components, modules, session identifiers, filenames, host names, and functionality. ColdFusion inherently logs the location of events that take place during the normal operation of the application server, but the Executive task scheduler is not logged by default. Logging the execution of a task through the scheduler helps the administrator understand how a task was executed and also aides the administrator recognize if unauthorized scheduled tasks have been created.
Checks: C-40369r641543_chk

Within the Administrator Console, navigate to the "Logging Settings" page under the "Debugging & Logging" menu. If "Enable logging for scheduled tasks" is not checked, this is a finding.

Fix: F-40332r641544_fix

Navigate to the "Logging Settings" page under the "Debugging & Logging" menu. Check "Enable logging for scheduled tasks" and select the "Submit Changes" button.

b
The ColdFusion log information must be protected from any type of unauthorized read access through the Administrator Console.
AU-9 - Medium - CCI-000162 - V-237151 - SV-237151r641548_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
CF11-02-000049
Vuln IDs
  • V-237151
  • V-62375
Rule IDs
  • SV-237151r641548_rule
  • SV-76865
Allowing any user to view log messages provides information to individuals that may be used to compromise the system. This information may provide system design, user access/IP addresses, interconnected systems, and security settings such as encryption used and version numbers. Controlling read access to this data, either through the Administrator Console or through the OS, must be controlled or limited to only those individuals who need access to fulfill their responsibilities.
Checks: C-40370r641546_chk

Review the roles assigned to the defined users within the "User Manager" page under the "Security" menu. Only users given the responsibility to read logs should have the following role assigned: Debugging and Logging>Logging If any user, other than those assigned to read logs, is assigned this role, this is a finding.

Fix: F-40333r641547_fix

Enable the Debugging and Logging>Logging role for those users that require the ability to read log files. This parameter is set in the "User Manager" page under the "Security" menu.

b
The ColdFusion log information must be protected from any type of unauthorized read access by having file permissions set properly.
AU-9 - Medium - CCI-000162 - V-237152 - SV-237152r641551_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
CF11-02-000050
Vuln IDs
  • V-237152
  • V-62377
Rule IDs
  • SV-237152r641551_rule
  • SV-76867
Allowing any user to view log messages provides information to individuals that may be used to compromise the system. This information may provide system design, user access/IP addresses, interconnected systems, and security settings such as encryption used and version numbers. Controlling read access to this data, either through the Administrator Console or through the OS, must be controlled or limited to only those individuals who need access to fulfill their responsibilities.
Checks: C-40371r641549_chk

Locate the logs directory for ColdFusion. The location can be found in the Administrator Console within the "Logging Settings" page under the "Debugging & Logging" menu. The log directory and log files should have the following permissions: ColdFusion running on Windows should have Full control for the Administrators group and the user running ColdFusion. ColdFusion running on Linux should have the permissions set to "750" or more restrictive. If the permissions are not set correctly for the log directory and log files, this is a finding.

Fix: F-40334r641550_fix

Locate the logs directory for ColdFusion. The location can be found in the Administrator Console within the "Logging Settings" page under the "Debugging & Logging" menu. The log directory and log file permissions can be set by: ColdFusion running on Windows 1. Right click on the logs directory for ColdFusion and select "Properties". 2. Click on the "Security" tab and then click the "Advanced" button. 3. On the "Permissions" tab, click the "Disable inheritance" button and select "Remove all inherited permissions from this object." 4. Click the "Add" button, in the permission Entry dialog, click "Select a principal." 5. Enter the user that is running the ColdFusion service and give this user Full control and click "OK" to save. 6. Click the "Add" button again, in the permission Entry dialog, click "Select a principal." 7. Enter the Administrators group and give the group Full control and click "OK" to save. 8. Check the checkbox to "Replace all child object permission entries with inheritable permission entries from this object". 9. Click "OK" to apply these permissions. ColdFusion running on Linux Use the chmod command to set the permissions correctly. For example, if the log directory is located at /opt/cf11/cfusion/logs, the command would be: chmod -R 750 /opt/cf11/cfusion/logs

b
The ColdFusion log information must be protected from any type of unauthorized modification by having file permissions set properly.
AU-9 - Medium - CCI-000163 - V-237153 - SV-237153r641554_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000163
Version
CF11-02-000051
Vuln IDs
  • V-237153
  • V-62379
Rule IDs
  • SV-237153r641554_rule
  • SV-76869
Allowing any user to modify log messages provides a method for an attacker to hide his attack and go unnoticed. Log modification also makes forensic investigation difficult, if not impossible, as the information needed to recreate the event is either deleted or modified to hide what actions took place. Users are unable to modify log data through the Administrator Console, so the protection from modification is only relevant by enforcing protections from modification at the OS level. This is performed by properly setting file permissions and enforcing user logons that match each user's job role.
Checks: C-40372r641552_chk

Locate the logs directory for ColdFusion. The location can be found in the Administrator Console within the "Logging Settings" page under the "Debugging & Logging" menu. The log directory and log files should have the following permissions: ColdFusion running on Windows should have Full control for the Administrators group and the user running ColdFusion. ColdFusion running on Linux should have the permissions set to "750" or more restrictive. If the permissions are not set correctly for the log directory and log files, this is a finding.

Fix: F-40335r641553_fix

Locate the logs directory for ColdFusion. The location can be found in the Administrator Console within the "Logging Settings" page under the "Debugging & Logging" menu. The log directory and log file permissions can be set by: ColdFusion running on Windows 1. Right click on the logs directory for ColdFusion and select "Properties". 2. Click on the "Security" tab and then click the "Advanced" button. 3. On the "Permissions" tab, click the "Disable inheritance" button and select "Remove all inherited permissions from this object." 4. Click the "Add" button, in the permission Entry dialog, click "Select a principal." 5. Enter the user that is running the ColdFusion service and give this user Full control and click "OK" to save. 6. Click the "Add" button again, in the permission Entry dialog, click "Select a principal." 7. Enter the Administrators group and give the group Full control and click "OK" to save. 8. Check the checkbox to "Replace all child object permission entries with inheritable permission entries from this object." 9. Click "OK" to apply these permissions. ColdFusion running on Linux Use the chmod command to set the permissions correctly. For example, if the log directory is located at /opt/cf11/cfusion/logs, the command would be: chmod -R 750 /opt/cf11/cfusion/logs

b
The ColdFusion log information must be protected from any type of unauthorized deletion through the Administrator Console.
AU-9 - Medium - CCI-000164 - V-237154 - SV-237154r641557_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000164
Version
CF11-02-000052
Vuln IDs
  • V-237154
  • V-62381
Rule IDs
  • SV-237154r641557_rule
  • SV-76871
When a system is attacked, one of the tasks of the attacker is to cover his tracks by deleting log files or log data. This enables the attacker to go unnoticed and to make later forensic analysis of the attack difficult, if not impossible. To protect the log information from deletion and discover the attacker quickly, the log files must be protected. This protection must take place at both the Administrator Console and at the OS level. Within the Administrator Console, the protection can be performed by giving users the proper roles and only giving log deletion to those that need that capability to perform their job duties. At the OS level, protecting the logs from deletion is performed by assigned the proper privileges to the log files and also giving OS users limited roles.
Checks: C-40373r641555_chk

Review the roles assigned to the defined users within the "User Manager" page under the "Security" menu. Only users given the responsibility to delete logs should have the Debugging and Logging>Logging role assigned. If any user, other than those assigned the capability to delete logs, is assigned this role, this is a finding.

Fix: F-40336r641556_fix

Enable the Debugging and Logging>Logging role for those users that require the ability to delete log files. This parameter is set in the "User Manager" page under the "Security" menu.

b
The ColdFusion log information must be protected from any type of unauthorized deletion by having file permissions set properly.
AU-9 - Medium - CCI-000164 - V-237155 - SV-237155r641560_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000164
Version
CF11-02-000053
Vuln IDs
  • V-237155
  • V-62383
Rule IDs
  • SV-237155r641560_rule
  • SV-76873
When a system is attacked, one of the tasks of the attacker is to cover his tracks by deleting log files or log data. This enables the attacker to go unnoticed and to make later forensic analysis of the attack difficult, if not impossible. To protect the log information from deletion and discover the attacker quickly, the log files must be protected. This protection must take place at both the Administrator Console and at the OS level. Within the Administrator Console, the protection can be performed by giving users the proper roles and only giving log deletion to those that need that capability to perform their job duties. At the OS level, protecting the logs from deletion is performed by assigned the proper privileges to the log files and also giving OS users limited roles.
Checks: C-40374r641558_chk

Locate the logs directory for ColdFusion. The location can be found in the Administrator Console within the "Logging Settings" page under the "Debugging & Logging" menu. The log directory and log files should have the following permissions: ColdFusion running on Windows should have full control for the Administrators group and the user running ColdFusion. ColdFusion running on Linux should have the permissions set to "750" or more restrictive. If the permissions are not set correctly for the log directory and log files, this is a finding.

Fix: F-40337r641559_fix

Locate the logs directory for ColdFusion. The location can be found in the Administrator Console within the "Logging Settings" page under the "Debugging & Logging" menu. The log directory and log file permissions can be set by: ColdFusion running on Windows: 1. Right click on the logs directory for ColdFusion and select "Properties". 2. Click on the "Security" tab and then click the "Advanced" button. 3. On the "Permissions" tab, click the "Disable inheritance" button and select "Remove all inherited permissions from this object." 4. Click the "Add" button, in the permission Entry dialog, click "Select a principal." 5. Enter the user that is running the ColdFusion service and give this user Full control and click "OK" to save. 6. Click the "Add" button again, in the permission Entry dialog, click "Select a principal." 7. Enter the Administrators group and give the group Full control and click "OK" to save. 8. Check the checkbox to "Replace all child object permission entries with inheritable permission entries from this object." 9. Click "OK" to apply these permissions. ColdFusion running on Linux: Use the chmod command to set the permissions correctly. For example, if the log directory is located at /opt/cf11/cfusion/logs, the command would be: chmod -R 750 /opt/cf11/cfusion/logs

b
ColdFusion must send log records to the operating system logging facility.
AU-9 - Medium - CCI-001348 - V-237156 - SV-237156r641563_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001348
Version
CF11-02-000057
Vuln IDs
  • V-237156
  • V-62385
Rule IDs
  • SV-237156r641563_rule
  • SV-76875
Protection of log data includes assuring log data is not accidentally lost or deleted. By sending some of the log messages to the operating system logging facilities, these log messages become part of the OS log history, become part of the log review performed by the OS administrator, and become part of the backup of OS log data. Note: This feature is only available for Linux installations.
Checks: C-40375r641561_chk

This feature is not present when ColdFusion is installed on Windows; therefore, this finding is not applicable. Within the Administrator Console, navigate to the "Logging Settings" page under the "Debugging & Logging" menu. If "Use operating system logging facilities" is not checked, this is a finding.

Fix: F-40338r641562_fix

Navigate to the "Logging Settings" page under the "Debugging & Logging" menu. Check "Use operating system logging facilities" and select the "Submit Changes" button.

b
ColdFusion must allocate log record storage capacity in accordance with organization-defined log record storage requirements.
AU-4 - Medium - CCI-001849 - V-237157 - SV-237157r641566_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001849
Version
CF11-02-000064
Vuln IDs
  • V-237157
  • V-62387
Rule IDs
  • SV-237157r641566_rule
  • SV-76877
The proper management of log records not only dictates proper archiving processes and procedures be established, it also requires allocating enough storage space to maintain the logs online for a defined period of time. If adequate online log storage capacity is not maintained, intrusion monitoring, security investigations, and forensic analysis can be negatively affected. It is important to keep a defined amount of logs online and readily available for investigative purposes. The logs may be stored on the application server until they can be archived to a log system or, in some instances, a Storage Area Network (SAN). Regardless of the method used, log record storage capacity must be sufficient to store log data when the data cannot be off-loaded to a log system or a SAN. ColdFusion handles logs by allowing the administrator to specify a log file size and how many archives to keep online. This allows the administrator to correctly size the storage needed to meet the requirements of the organization for how log audit files should be available online and configure the storage needed to meet the requirement before off-loading archives to off-line storage.
Checks: C-40376r641564_chk

Locate the log file directory by viewing the "Log directory" setting within the "Logging Settings" page under the "Debugging & Logging" menu. Also make note of the "Maximum number of archives" and "Maximum file size (in kilobytes)" settings. Next, view the number of log files generated. This can be found by accessing the "Log Files" page under the "Debugging & Logging" menu. Count the number of log files. If "Maximum number of archives" multiplied by "Maximum file size (in kilobytes)" multiplied by the number of log files is larger than the storage where the log directory is located, this is a finding.

Fix: F-40339r641565_fix

Move the location of the log files to a directory that has sufficient storage to meet the organization-defined log record storage requirement.

b
ColdFusion log records must be off-loaded onto a different system or media from the system being logged.
AU-4 - Medium - CCI-001851 - V-237158 - SV-237158r641569_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
CF11-02-000065
Vuln IDs
  • V-237158
  • V-62389
Rule IDs
  • SV-237158r641569_rule
  • SV-76879
Information system logging capability is critical for accurate forensic analysis. Off-loading is a common process in information systems with limited log storage capacity. Centralized management of log records provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Application servers and their related components are required to off-load log records on to a different system or media than the system being logged. ColdFusion offers the capability to set the number of archived log files to keep before overwriting the file along with the maximum file size before generating an archive. This allows the administrator to set up a scheduled task or a centralized log management system to pull the log files.
Checks: C-40377r641567_chk

Locate the log file directory by viewing the "Log directory" setting within the "Logging Settings" page under the "Debugging & Logging" menu. Have the administrator show the scheduled task or log management application that accesses this directory and stores the log files to another system or media. If the administrator cannot demonstrate that the log files are being stored to another system or media, this is a finding.

Fix: F-40340r641568_fix

Configure a scheduled task or log management application to store the log files to another system or media.

b
ColdFusion logs must, at a minimum, be transferred simultaneously for interconnected systems and transferred weekly for standalone systems.
AU-4 - Medium - CCI-001851 - V-237159 - SV-237159r641572_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
CF11-02-000079
Vuln IDs
  • V-237159
  • V-62391
Rule IDs
  • SV-237159r641572_rule
  • SV-76881
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Protecting log data is important during a forensic investigation to ensure investigators can track and understand what may have occurred. ColdFusion does not offer an automated mechanism to off-load logs, but ColdFusion does have the capability to create archive log files. By using the archive capability, off-loading can be set up using a weekly scheduled task for standalone systems. For interconnected systems, applications such as syslog on Linux can be used to off-load data simultaneously.
Checks: C-40378r641570_chk

Interview the administrator to determine whether or not ColdFusion logs are transferred to another system weekly for standalone systems and simultaneously for interconnected systems. If the logs are not transferred weekly for standalone systems and simultaneously for interconnected systems, this is a finding.

Fix: F-40341r641571_fix

Implement a strategy that transfers logs weekly for standalone systems and simultaneously for interconnected systems.

b
The ColdFusion log information must be protected from any type of unauthorized read access by having file ownership set properly.
AU-9 - Medium - CCI-000162 - V-237160 - SV-237160r641575_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
CF11-02-000080
Vuln IDs
  • V-237160
  • V-62393
Rule IDs
  • SV-237160r641575_rule
  • SV-76883
Allowing any user to view log messages provides information to individuals that may be used to compromise the system. This information may provide system design, user access/IP addresses, interconnected systems, and security settings such as encryption used and version numbers. Controlling read access to this data, either through the Administrator Console or through the OS, must be controlled or limited to only those individuals who need access to fulfill their responsibilities.
Checks: C-40379r641573_chk

Locate the logs directory for ColdFusion. The location can be found in the Administrator Console within the "Logging Settings" page under the "Debugging & Logging" menu. The log directory and log files should have the following permissions: ColdFusion running on Windows should have Full control for the Administrators group and the user running ColdFusion. No other users should have permissions. ColdFusion running on Linux must have group ownership set to "root" and the owner set to the user running ColdFusion. If the ownership of the log directory and log files is incorrect, this is a finding.

Fix: F-40342r641574_fix

Locate the logs directory for ColdFusion. The location can be found in the Administrator Console within the "Logging Settings" page under the "Debugging & Logging" menu. The log directory and log file permissions can be set by: ColdFusion running on Windows: 1. Right click on the logs directory for ColdFusion and select "Properties". 2. Click on the "Security" tab and then click the "Advanced" button. 3. On the "Permissions" tab, click the "Disable inheritance" button and select "Remove all inherited permissions from this object." 4. Click the "Add" button, in the permission Entry dialog, click "Select a principal." 5. Enter the user that is running the ColdFusion service and give this user Full control and click "OK" to save. 6. Click the "Add" button again, in the permission Entry dialog, click "Select a principal." 7. Enter the Administrators group and give the group Full control and click "OK" to save. 8. Check the checkbox to "Replace all child object permission entries with inheritable permission entries from this object." 9. Click "OK" to apply these permissions. ColdFusion running on Linux: Use the chown command to set the owner and group. For example, if the log directory is located at /opt/cf11/cfusion/logs and the owner is to be cfuser, the command would be: chown -R cfuser:root /opt/cf11/cfusion/logs

b
The ColdFusion log information must be protected from any type of unauthorized modification by having file ownership set properly.
AU-9 - Medium - CCI-000163 - V-237161 - SV-237161r641578_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000163
Version
CF11-02-000081
Vuln IDs
  • V-237161
  • V-62395
Rule IDs
  • SV-237161r641578_rule
  • SV-76885
Allowing any user to modify log messages provides a method for an attacker to hide his attack and go unnoticed. Log modification also makes forensic investigation difficult, if not impossible, as the information needed to recreate the event is either deleted or modified to hide what actions took place. Users are unable to modify log data through the Administrator Console, so the protection from modification is only relevant by enforcing protections from modification at the OS level. This is performed by properly setting file permissions and enforcing user logons that match each user's job role.
Checks: C-40380r641576_chk

Locate the logs directory for ColdFusion. The location can be found in the Administrator Console within the "Logging Settings" page under the "Debugging & Logging" menu. The log directory and log files should have the following permissions: ColdFusion running on Windows should have full control for the Administrators group and the user running ColdFusion. No other users should have permissions. ColdFusion running on Linux must have group ownership set to "root" and the owner set to the user running ColdFusion. If the ownership of the log directory and log files is incorrect, this is a finding.

Fix: F-40343r641577_fix

Locate the logs directory for ColdFusion. The location can be found in the Administrator Console within the "Logging Settings" page under the "Debugging & Logging" menu. The log directory and log file permissions can be set by: ColdFusion running on Windows: 1. Right click on the logs directory for ColdFusion and select "Properties". 2. Click on the "Security" tab and then click the "Advanced" button. 3. On the "Permissions" tab, click the "Disable inheritance" button and select "Remove all inherited permissions from this object." 4. Click the "Add" button, in the permission Entry dialog, click "Select a principal." 5. Enter the user that is running the ColdFusion service and give this user Full control and click "OK" to save. 6. Click the "Add" button again, in the permission Entry dialog, click "Select a principal." 7. Enter the Administrators group and give the group Full control and click "OK" to save. 8. Check the checkbox to "Replace all child object permission entries with inheritable permission entries from this object." 9. Click "OK" to apply these permissions. ColdFusion running on Linux: Use the chown command to set the owner and group. For example, if the log directory is located at /opt/cf11/cfusion/logs and the owner is to be cfuser, the command would be: chown -R cfuser:root /opt/cf11/cfusion/logs

b
The ColdFusion log information must be protected from any type of unauthorized deletion by having file ownership set properly.
AU-9 - Medium - CCI-000164 - V-237162 - SV-237162r641581_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000164
Version
CF11-02-000082
Vuln IDs
  • V-237162
  • V-62397
Rule IDs
  • SV-237162r641581_rule
  • SV-76887
When a system is attacked, one of the tasks of the attacker is to cover his tracks by deleting log files or log data. This enables the attacker to go unnoticed and to make later forensic analysis of the attack difficult, if not impossible. To protect the log information from deletion and discover the attacker quickly, the log files must be protected. This protection must take place at both the Administrator Console and at the OS level. Within the Administrator Console, the protection can be performed by giving users the proper roles and only giving log deletion to those that need that capability to perform their job duties. At the OS level, protecting the logs from deletion is performed by assigned the proper privileges to the log files and also giving OS users limited roles.
Checks: C-40381r641579_chk

Locate the logs directory for ColdFusion. The location can be found in the Administrator Console within the "Logging Settings" page under the "Debugging & Logging" menu. The log directory and log files should have the following permissions: ColdFusion running on Windows should have full control for the Administrators group and the user running ColdFusion. No other users should have permissions. ColdFusion running on Linux must have group ownership set to "root" and the owner set to the user running ColdFusion. If the ownership of the log directory and log files is incorrect, this is a finding.

Fix: F-40344r641580_fix

Locate the logs directory for ColdFusion. The location can be found in the Administrator Console within the "Logging Settings" page under the "Debugging & Logging" menu. The log directory and log file permissions can be set by: ColdFusion running on Windows: 1. Right click on the logs directory for ColdFusion and select "Properties". 2. Click on the "Security" tab and then click the "Advanced" button. 3. On the "Permissions" tab, click the "Disable inheritance" button and select "Remove all inherited permissions from this object." 4. Click the "Add" button, in the permission Entry dialog, click "Select a principal." 5. Enter the user that is running the ColdFusion service and give this user Full control and click "OK" to save. 6. Click the "Add" button again, in the permission Entry dialog, click "Select a principal." 7. Enter the Administrators group and give the group Full control and click "OK" to save. 8. Check the checkbox to "Replace all child object permission entries with inheritable permission entries from this object." 9. Click "OK" to apply these permissions. ColdFusion running on Linux: Use the chown command to set the owner and group. For example, if the log directory is located at /opt/cf11/cfusion/logs and the owner is to be cfuser, the command would be: chown -R cfuser:root /opt/cf11/cfusion/logs

b
ColdFusion must limit applications from changing shared Java components.
CM-5 - Medium - CCI-001499 - V-237163 - SV-237163r641584_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
CF11-03-000091
Vuln IDs
  • V-237163
  • V-62399
Rule IDs
  • SV-237163r641584_rule
  • SV-76889
Application servers have the ability to specify that the hosted applications utilize shared libraries. Within ColdFusion, these shared libraries are often Java components along with server settings. By allowing programmers or attackers to write CFML code that can directly access these components and settings, the programmer can change how shared Java components work and create new Java components. By disabling this option, the programmer is unable to read or modify administration and configuration information for the server and shared Java components.
Checks: C-40382r641582_chk

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If "Disable access to internal ColdFusion Java components" is unchecked, this is a finding.

Fix: F-40345r641583_fix

Navigate to the "Settings" page under the "Server Settings" menu. Check "Disable access to internal ColdFusion Java components" and select the "Submit Changes" button.

b
ColdFusion must limit privileges, within the Administrator Console, to change the software resident within software libraries.
CM-5 - Medium - CCI-001499 - V-237164 - SV-237164r641587_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
CF11-03-000092
Vuln IDs
  • V-237164
  • V-62401
Rule IDs
  • SV-237164r641587_rule
  • SV-76891
Controlling the overall security posture of the server encompasses controlling the patches and versions of the software running within the production environment. Patches are installed to fix security and bug issues. Vendors will often supply a feature to uninstall the patch in the event the patch does not install correctly, if the patch causes issues with hosted applications, or if the patch contains issues not found during testing. The uninstall feature is meant to be used by an SA to maintain a secure and stable system. In the event an attacker gains access to the uninstall functionality, he can then attempt to revert the system to an unsecure version which may have known and documented attacks that can be successful to compromise ColdFusion. To protect against this type of attack and to further define roles for users, access to the patch management functionality is important. Proper protection is performed through assigning the appropriate roles to the users of the Administrator Console and through the least privileged permissions assigned at the OS level.
Checks: C-40383r641585_chk

Within the Administrator Console, navigate to the "User Manager" page under the "Security" menu. Review each defined user and ask the SA if the user should have access to server patch management functions. For each user that should not be able to access patch management functions, review the roles assigned to the user account. If the user has the "Server Updates" role, this is a finding.

Fix: F-40346r641586_fix

Navigate to the "User Manager" page under the "Security" menu. Remove the "Server Updates" role from each user that should not have access to patch management functions.

b
ColdFusion must protect software libraries from being changed by OS users.
CM-5 - Medium - CCI-001499 - V-237165 - SV-237165r641590_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
CF11-03-000093
Vuln IDs
  • V-237165
  • V-62403
Rule IDs
  • SV-237165r641590_rule
  • SV-76893
Controlling the overall security posture of the server encompasses controlling the patches and versions of the software running within the production environment. Patches are installed to fix security and bug issues. Vendors will often supply a feature to uninstall the patch in the event the patch does not install correctly, if the patch causes issues with hosted applications, or if the patch contains issues not found during testing. The uninstall feature is meant to be used by an SA to maintain a secure and stable system. In the event an attacker gains access to the uninstall functionality, he can then attempt to revert the system to an unsecure version which may have known and documented attacks that can be successful to compromise ColdFusion. To protect against this type of attack and to further define roles for users, access to the patch management functionality is important. Proper protection is performed through assigning the appropriate roles to the users of the Administrator Console and through the least privileged permissions assigned at the OS level.
Checks: C-40384r641588_chk

Locate the hf-updates directory for ColdFusion. Review the permissions on the hf-updates directory. ColdFusion running on Windows should have full control for the Administrators group and the user running the ColdFusion application. No other users or groups should have permissions. If permissions are granted to other users or groups, this is a finding. If ColdFusion is installed on Linux, the permissions must be "750" or more restrictive with the owner set to the user running the ColdFusion service and a group of root. If the permissions are more permissive, this is a finding.

Fix: F-40347r641589_fix

Locate the hf-updates directory for ColdFusion. The hf-updates directory should have the following permissions: ColdFusion running on Windows: 1. Right click on the "hf-updates" directory and select "Properties". 2. Click on the "Security" tab and then click the "Advanced" button. 3. On the "Permissions" tab, click the "Disable inheritance" button and select "Remove all inherited permissions from this object." 4. Click the "Add" button, in the permission Entry dialog, click "Select a principal." 5. Enter the user that is running the ColdFusion service and give this user Full control and click "OK" to save. 6. Click the "Add" button again, in the permission Entry dialog, click "Select a principal." 7. Enter the Administrators group and give the group Full control and click "OK" to save. 8. Check the checkbox to "Replace all child object permission entries with inheritable permission entries from this object." 9. Click "OK" to apply these permissions. ColdFusion running on Linux: Use the chmod command to set the permissions correctly and chown to set the owner and group. For example, if the hf-updates directory is found at /opt/cf11/cfusion/hf-updates and you want to set the owner to cfuser, the commands would be: chown cfuser:root /opt/cf11/cfusion/hf-updates chmod 750 /opt/cf11/cfusion/hf-updates

b
ColdFusion must only allow approved file extensions.
CM-7 - Medium - CCI-000381 - V-237166 - SV-237166r641593_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
CF11-03-000096
Vuln IDs
  • V-237166
  • V-62405
Rule IDs
  • SV-237166r641593_rule
  • SV-76895
Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. One area of concern is the file types that can be included in cfm and cfml files by programmers. To control what types of technologies are used in the development of hosted applications, a default whitelist can be created and approved by the ISSO. This list includes only those file extensions that are used by the hosted applications. By default, cfm and cfml are included and do not have to be specified. The list must not contain the wildcard string "*.*".
Checks: C-40385r641591_chk

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If "Allowed file extensions for CFInclude tag" is empty, this is not a finding. If the "Allowed file extensions for CFInclude tag" contains the wildcard string "*.*" or if the list of file extensions is not the list approved by the ISSO, this is a finding.

Fix: F-40348r641592_fix

Navigate to the "Settings" page under the "Server Settings" menu. Enter the list of approved file extensions in the "Allowed file extensions for CFInclude tag" field and select the "Submit Changes" button. A blank list will only allow cfm and cfml files to be included and fulfills this requirement.

c
ColdFusion must disable Flash Remoting support.
CM-7 - High - CCI-000381 - V-237167 - SV-237167r641596_rule
RMF Control
CM-7
Severity
High
CCI
CCI-000381
Version
CF11-03-000097
Vuln IDs
  • V-237167
  • V-62407
Rule IDs
  • SV-237167r641596_rule
  • SV-76897
Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Flash Remoting allows a Flash client to connect to the ColdFusion server and invoke ColdFusion Components (CFCs). Allowing this service to be enabled when not needed by hosted applications and when ColdFusion server monitoring is not being used provides an avenue for an attacker to gain access to the server.
Checks: C-40386r641594_chk

Ask the administrator if ColdFusion server monitoring is being used or if flex remoting is being used by any hosted applications. If ColdFusion server monitoring is being used or hosted applications are using flash remoting, this is not a finding. Within the Administrator Console, navigate to the "Flex Integration" page under the "Data & Services" menu. If the "Enable Flash Remoting" option is checked, this is a finding.

Fix: F-40349r641595_fix

Navigate to the "Flex Integration" page under the "Data & Services" menu. Uncheck the "Enable Flash Remoting" option and select the "Submit Changes" button.

b
ColdFusion must disable the In-Memory File System.
CM-7 - Medium - CCI-000381 - V-237168 - SV-237168r641599_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
CF11-03-000098
Vuln IDs
  • V-237168
  • V-62409
Rule IDs
  • SV-237168r641599_rule
  • SV-76899
Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. ColdFusion offers an in-memory file system. This feature can be used to have dynamic code execute quickly which in turns enables an application to execute quicker. This feature can also be used by an attacker to execute dynamic code that is erased and unrecoverable on system reboot making forensic analysis impossible.
Checks: C-40387r641597_chk

Ask the administrator if the in-memory file system is being used by any hosted applications. If hosted applications are using the in-memory file system, this is not a finding. Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If "Enable In-Memory File System" is checked, this is a finding.

Fix: F-40350r641598_fix

Navigate to the "Settings" page under the "Server Settings" menu. Uncheck "Enable In-Memory File System" and select the "Submit Changes" button.

b
ColdFusion must have Event Gateway Services disabled.
CM-7 - Medium - CCI-000381 - V-237169 - SV-237169r641602_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
CF11-03-000099
Vuln IDs
  • V-237169
  • V-62411
Rule IDs
  • SV-237169r641602_rule
  • SV-76901
Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Event Gateway Services are used to pass events from external sources to ColdFusion components that are specified. Since this gateway is accepting events from external sources, a listener must be present. When enabled, along with the listener, memory, queues, and processes are available for gateway processes. These resources can be used by an attacker and should be disabled if the feature is not being used for hosted applications.
Checks: C-40388r641600_chk

Ask the administrator if Event Gateway services are being used by any hosted applications. If hosted applications are using the service, this is not a finding. Within the Administrator Console, navigate to the "Settings" page under the "Event Gateways" menu. If "Enable ColdFusion Event Gateway Services" is checked, this is a finding.

Fix: F-40351r641601_fix

Navigate to the "Settings" page under the "Event Gateway" menu. Uncheck "Enable ColdFusion Event Gateway Services" and select the "Submit Changes" button.

c
ColdFusion must have Remote Development Services (RDS) disabled.
CM-7 - High - CCI-000381 - V-237170 - SV-237170r641605_rule
RMF Control
CM-7
Severity
High
CCI
CCI-000381
Version
CF11-03-000100
Vuln IDs
  • V-237170
  • V-62413
Rule IDs
  • SV-237170r641605_rule
  • SV-76903
Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Remote Development Services (RDS) is used in a development environment to allow authenticated users access to the server using special features within code editors like Dreamweaver, HomeSite+, ColdFusion Studio, and Eclipse to obtain information from the server. For example, developers can determine what data sources exist, query them, build code based on them, and more. RDS also enables access from within the editors to files on the server (even remotely) over HTTP, as an alternative to FTP. This feature is not meant for production environments.
Checks: C-40389r641603_chk

Within the Administrator Console, navigate to the "RDS" page under the "Security" menu. If "Enable RDS Service" is checked, this is a finding.

Fix: F-40352r641604_fix

Navigate to the "RDS" page under the "Security" menu. Uncheck "Enable RDS Service" and select the "Submit Changes" button.

b
ColdFusion must have Remote Adobe LiveCycle Data Management access disabled.
CM-7 - Medium - CCI-000381 - V-237171 - SV-237171r641608_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
CF11-03-000101
Vuln IDs
  • V-237171
  • V-62415
Rule IDs
  • SV-237171r641608_rule
  • SV-76905
Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Remote Adobe LiveCycle Data Management access allows LiveCycle Data Services ES to connect to the ColdFusion server through RMI and use CFCs to read and update data that supports a Flex application. If this feature is not needed for hosted applications and is enabled, an attacker could use this feature to compromise the ColdFusion server.
Checks: C-40390r641606_chk

Ask the administrator if LiveCycle Data Services ES are being used by any hosted applications. If hosted applications are using the service, this is not a finding. Within the Administrator Console, navigate to the "Flex Integration" page under the "Data & Services" menu. If "Enable Remote Adobe LiveCycle Data Management access" is checked, this is a finding.

Fix: F-40353r641607_fix

Navigate to the "Flex Integration" page under the "Data & Services" menu. Uncheck "Enable Remote Adobe Live Cycle Data Management access" and select the "Submit Changes" button.

b
ColdFusion must have the WebSocket Service disabled.
CM-7 - Medium - CCI-000381 - V-237172 - SV-237172r641611_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
CF11-03-000102
Vuln IDs
  • V-237172
  • V-62417
Rule IDs
  • SV-237172r641611_rule
  • SV-76907
Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. The WebSocket Service is used to develop real-time applications for stock, charting, online gaming, social networking, dashboard for various purposes, and monitoring. The service uses http or https for communication either to a proxy server or to the built-in WebSocket Server. When the service is enabled and not used, resources are used but set idle. To allow the idle resources to be used for other services, if the WebSocket service is not be used by hosted applications, the service must be disabled.
Checks: C-40391r641609_chk

Ask the administrator if WebSocket services are being used by any hosted applications. If hosted applications are using the service, this is not a finding. Within the Administrator Console, navigate to the "WebSocket" page under the "Server Settings" menu. If "Enable WebSocket Service" is checked, this is a finding.

Fix: F-40354r641610_fix

Navigate to the "WebSocket" page under the "Server Settings" menu. Uncheck "Enable WebSocket Service" and select the "Submit Changes" button.

b
ColdFusion must have example data sources removed.
CM-7 - Medium - CCI-000381 - V-237173 - SV-237173r641614_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
CF11-03-000103
Vuln IDs
  • V-237173
  • V-62419
Rule IDs
  • SV-237173r641614_rule
  • SV-76909
ColdFusion is installed with sample data services, gateway services, and collections. These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issues. Allowing them to be available on a production system provides a gateway to an attacker to the application server and to those systems connected to ColdFusion. To alleviate this issue, sample code and services must be deleted.
Checks: C-40392r641612_chk

Several sample services are installed with the ColdFusion server. From the Administrator Console, go to the "Data Sources" page under the "Data & Services" menu. If the data sources cfartgallery, cfbookclub, cfcodeexplorer, or cfdocexamples exist, this is a finding.

Fix: F-40355r641613_fix

Remove the sample data sources by navigating to the "Data Sources" page under the "Data & Services" menu. Delete the data sources cfartgallery, cfbookclub, cfcodeexplorer, and cfdocexamples.

b
The ColdFusion built-in TomCat Web Server must be disabled.
CM-7 - Medium - CCI-000381 - V-237174 - SV-237174r641617_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
CF11-03-000104
Vuln IDs
  • V-237174
  • V-62421
Rule IDs
  • SV-237174r641617_rule
  • SV-76911
Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. The built-in TomCat Web Server is used to host the Administrator Console and is used for initial setup. While the built-in server can be used to continually host the Administrator Console, this is not the best practice since the server is not guaranteed to be patched and upgraded, implementing TLS is not well documented, allowing for poor implementations, and commercial web servers offer better logging. To enable the Administrator Console to still operate and disable the built-in TomCat Web Server, the Administrator Console application must be moved to the web server (i.e., IIS, Apache, IBM HTTP Server, etc.) hosting the ColdFusion applications. Moving the Administrator Console to Apache and IIS is well documented in the Adobe ColdFusion Lockdown Guide.
Checks: C-40393r641615_chk

Locate the server.xml file for ColdFusion. This file can usually be located under the ColdFusion installation directory under the runtime/conf directory for Linux and runtime\conf for Windows. Within the server.xml file, locate the xml line: <Connector executor="tomcatThreadPool" maxThreads="50" port="8500" protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000" redirectPort="8445" /> Note: port="8500" is the port the Administrator Console was hosted on. The port is defined during the install and can be changed from the default of 8500, so this parameter may be different if an alternate port was assigned. If the line exists and is not commented out (XML comments start with <!-- and end with -->, e.g., <!-- XML COMMENT -->), this is a finding.

Fix: F-40356r641616_fix

Locate the server.xml file for ColdFusion. This file can usually be located under the ColdFusion installation directory under the runtime/conf directory for Linux and runtime\conf for Windows. After making a backup of this file, edit the file and locate the following xml line: <Connector executor="tomcatThreadPool" maxThreads="50" port="8500" protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000" redirectPort="8445" /> Note: port="8500" is the port the Administrator Console was hosted on. The port is setup at install and can be changed, so this parameter may be different in this line. This line can be deleted or using XML syntax can be commented out of the configuration. XML comment syntax starts with <!-- and ends with -->, e.g., <!-- XML COMMENT -->.

c
ColdFusion must have Remote Inspection disabled.
CM-7 - High - CCI-000381 - V-237175 - SV-237175r641620_rule
RMF Control
CM-7
Severity
High
CCI
CCI-000381
Version
CF11-03-000105
Vuln IDs
  • V-237175
  • V-62423
Rule IDs
  • SV-237175r641620_rule
  • SV-76913
Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Remote Inspection is used to debug mobile applications and may contain sensitive information. This feature may be necessary as applications are built and tested, but once in a production environment, this setting is not necessary for daily operations and must be disabled.
Checks: C-40394r641618_chk

Within the Administrator Console, navigate to the "Remote Inspection Settings" page under the "Debugging &amp; Logging" menu. If "Allow Remote Inspection" is checked, this is a finding.

Fix: F-40357r641619_fix

Navigate to the "Remote Inspection Settings" page under the "Debugging & Logging" menu. Uncheck "Allow Remote Inspection" and select the "Submit Changes" button.

b
ColdFusion must protect internal cookies from being updated by hosted applications.
CM-7 - Medium - CCI-000381 - V-237176 - SV-237176r641623_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
CF11-03-000106
Vuln IDs
  • V-237176
  • V-62425
Rule IDs
  • SV-237176r641623_rule
  • SV-76915
Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Allowing developers to override global session cookie security settings is used to allow a hosted application to change the security posture of the application server. This feature may be necessary as applications are built and tested, but once in a production environment, this functionality is not necessary for daily operations and must be disabled.
Checks: C-40395r641621_chk

Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu. If "Disable updating ColdFusion internal cookies using ColdFusion tags/functions." is unchecked, this is a finding.

Fix: F-40358r641622_fix

Navigate to the "Memory Variables" page under the "Server Settings" menu. Check "Disable updating ColdFusion internal cookies using ColdFusion tags/functions." and select the "Submit Changes" button.

b
ColdFusion must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.
CM-7 - Medium - CCI-000382 - V-237177 - SV-237177r641626_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
CF11-03-000107
Vuln IDs
  • V-237177
  • V-62427
Rule IDs
  • SV-237177r641626_rule
  • SV-76917
Some networking protocols may not meet organizational security requirements to protect data and components. ColdFusion may host a number of various features, such as the Administrator Console, data sources and various services. These features all run on TCPIP ports and protocols. This creates the potential that the vendor or ColdFusion administrator may choose to utilize port numbers or protocols that have been deemed unusable by the organization. When ports or protocols are used that are not secure or authorized by the organization, the ColdFusion feature must be reconfigured to use an authorized port and protocol. For a list of approved ports and protocols, reference the DoD ports and protocols web site at https://powhatan.iiie.disa.mil/ports/cal.html.
Checks: C-40396r641624_chk

Access the Administrator Console from a web browser. If a port is part of the URL, verify that the port used is an approved port. Within the Administrator Console, navigate to each page under the "Data &amp; Services" menu viewing the port settings for each connection and service. If the Administrator Console or any "Data &amp; Services" setting is not using an approved port, this is a finding.

Fix: F-40359r641625_fix

Reconfigure the services or data connections that are using an unapproved port to use an approved port.

b
ColdFusion must disable auto reloading of configuration files on file changes.
CM-5 - Medium - CCI-001813 - V-237178 - SV-237178r641629_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
CF11-03-000108
Vuln IDs
  • V-237178
  • V-62429
Rule IDs
  • SV-237178r641629_rule
  • SV-76919
When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software and/or application server configuration can potentially have significant effects on the overall security of the system. Allowing ColdFusion to watch for configuration file changes and reloading the new configuration gives an attacker an easy way to make modifications and have those changes become part of the executing production system quickly.
Checks: C-40397r641627_chk

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If "Check configuration files for changes every" is checked, this is a finding.

Fix: F-40360r641628_fix

Navigate to the "Settings" page under the "Server Settings" menu. Uncheck "Check configuration files for changes every" and select the "Submit Changes" button.

b
The ColdFusion Root Administrator account must have a unique username.
CM-6 - Medium - CCI-000366 - V-237179 - SV-237179r641632_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CF11-03-000110
Vuln IDs
  • V-237179
  • V-62431
Rule IDs
  • SV-237179r641632_rule
  • SV-76921
The ColdFusion Root Administrator account is an administrative account setup during the installation process. This account has privileges to view, update and delete data within the entire ColdFusion Administrator Console. The account is meant to be used to setup ColdFusion after installation, but should only be used in emergency situations once user accounts are created. The account is similar to the Administrator account in Windows or the root account in Linux. To help protect the account, the account username should not be admin or administrator. If setup with these usernames, an attacker already knows 50% of the information needed to gain access. A unique and not easily guessable username must be used to hinder the discovery of the account credentials.
Checks: C-40398r641630_chk

Locate the neo-security.xml file and locate the Root Administrator username. For ColdFusion running on Windows: 1. Open the neo-security.xml in notepad.exe (Hint: Turn Word Wrap on to make the file easier to read.). 2. Under the menu "Edit", select the "Find…" menu item. 3. In the "Find" window, put in the search text 'admin.userid.root'&gt; including the single quotes. 4. The Root Administrator username follows this tag between the &lt;string&gt; and &lt;/string&gt; tags. A sample entry may look like this if the Root Administrator username were Administrator: &lt;var name='admin.userid.root'&gt;&lt;string&gt;Administrator&lt;/string&gt; For ColdFusion running on Linux: 1. Change to the directory where the neo-security.xml file is located. 2. Execute the following command to return the Root Administrator username: cat neo-security.xml | grep –i –oP ‘admin.userid.root’+”’&gt;&lt;string&gt;\K\w+” If the Root Administrator username is any upper-and lower-case mix of characters for the words admin or administrator (e.g., admin, Admin, ADMIN, Administrator, ADMINISTRATOR, etc.), this is a finding.

Fix: F-40361r641631_fix

Locate the neo-security.xml file and change to the directory where the file is located. Note: Make a backup of the file before making any modifications. For ColdFusion running on Windows: 1. Open the file neo-security.xml in notepad.exe (Hint: Turn Word Wrap on to make the file easier to read.). 2. Under the menu "Edit", select the "Find…" menu item. 3. In the "Find" window, put in the search text 'admin.userid.root'> including the single quotes. 4. The Root Administrator username follows this tag between the <string> and </string> tags. A sample entry may look like this if the Root Administrator username were Administrator: <var name='admin.userid.root'><string>Administrator</string> 5. Update the Root Administrator username. The new Root Administrator username must not be any upper and lower case mix of characters for the words admin or administrator, e.g., admin, Admin, ADMIN, Administrator, ADMINISTRATOR, etc. 6. Save the file. 7. Restart ColdFusion to have the new username take effect. Within a terminal window, change to the bin directory under the ColdFusion installation directory and execute the command: coldfusion -restart -console ColdFusion running on Linux: 1. Change to the directory where the neo-security.xml file is located. 2. Update the Root Administrator username by editing the neo-security.xml file. 3. Locate the <var name='admin.userid.root'> tag. The username is located in between the <string> and </string> tags that follow. A sample entry may look like this if the Root Administrator username were Administrator: <var name='admin.userid.root'><string>Administrator</string> 4. Update the Root Administrator username. The new Root Administrator username must not be any upper and lower case mix of characters for the words admin or administrator, e.g., admin, Admin, ADMIN, Administrator, ADMINISTRATOR, etc. 5. Save the file. 6. Restart ColdFusion to have the new username take effect. ColdFusion can be restarted by changing to the bin directory under the ColdFusion installation directory and execute the command: coldfusion restart Validate that the new username is being used and that the system is operating properly. Once validated, the backup neo-security.xml file must be deleted.

b
ColdFusion must execute as a non-privileged user.
CM-6 - Medium - CCI-000366 - V-237180 - SV-237180r641635_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CF11-03-000111
Vuln IDs
  • V-237180
  • V-62433
Rule IDs
  • SV-237180r641635_rule
  • SV-76923
Privileged user accounts are accounts that have access to all the system resources. These accounts are reserved for administrative users and applications that have a need for such unfettered access. Because ColdFusion does not need to run with access to all the system resources, the ColdFusion services must be setup to execute as unprivileged users. This protects server resources, OS hosted applications, and organization resources should the ColdFusion application server become compromised.
Checks: C-40399r641633_chk

For ColdFusion running on Windows: 1. Run the snap-in services.msc. 2. Locate the ColdFusion section of services. 3. Right click on each ColdFusion service and select "Properties". 4. Select the "Log On" tab. If any service has "Local System account" selected, this is a finding. 5. View the groups for each user account that was used to run a ColdFusion service by running the snap-in compmgmt.msc. 6. Expand the "Local Users and Groups" in the left pane under "System Tools" to view the "Users" and "Groups" folders. 7. Select the "Users" folder and the users will be listed in the right pane. 8. Right click a user that runs a ColdFusion service. 9. Select "Properties" on the menu. 10. Select the "Member Of" tab. If any groups are listed, this is a finding. 11. Click on the "Remote Desktop Services Profile" tab. If the "Deny this user permissions to log on to Remote Desktop Session Host server" is not checked, this is a finding. 12 Repeat steps 8 through 11 for each user that runs a ColdFusion service. ColdFusion running on Linux: 1. Locate the file coldfusion_11 by running the command: find / -name coldfusion_11 2. Change to the directory where the file is located. 3. Execute the command: grep -i -m 1 runtime_user coldfusion_11 4. The user being used to execute ColdFusion will be listed. 5. View the user within the /etc/passwd file. 6. Make note of the user id and group id. For example, if the line in the passwd file is cfuser:x:500:501:ColdFusion:/home/cfuser:/sbin/nologin, the user id is 500 and the group id is 501. If the user id or the group id is set to 0 (zero), this is a finding.

Fix: F-40362r641634_fix

For ColdFusion running on Windows: 1. Create a user for the ColdFusion services by running the snap-in compmgmt.msc. 2. Expand the "Local Users and Groups" in the left pane under "System Tools" to view the "Users" and "Groups" folders. 3. Select the "Users" folder. 4. Right click in the right pane and select "New User". 5. Enter a username and password for the user. Follow any organization specific policies in place and Windows STIGs for password complexity, usernames, etc. 6. Select the "Create" button to create the user. 7. Right click on the new user and select the "Properties" menu item. 8. Select the "Member Of" tab. 9. Remove all groups. 10. Select the "Remote Desktop Services Profile" tab. 11. Check the "Deny this user permissions to log on to Remote Desktop Session Host server" checkbox. 12. Select the "Apply" button. 13. Run the snap-in services.msc. 14. Locate the ColdFusion services. 15. Right click on a ColdFusion service and select "Properties". 16. Select the "Log On" tab. 17. Click on the "This account:" radio button. 18. Enter the username and password for the user account that was just created. 19. Select "Ok" to save the changes. 20. Repeat steps 15 through 19 for each ColdFusion service. ColdFusion running on Linux: 1. Create a group for the user account that will run the ColdFusion service by executing the command groupadd. For example, if the group being created is webusers, the command would be: groupadd webusers 2. Create the user account for the service by executing the command adduser. For example, if the user being created is cfuser with the group webusers, the command would be: adduser -g webusers -s /sbin/nologin -M -c ColdFusion cfuser 3. Assign a password to the account that follows any organization password policies in place and the OS STIG for password complexity. The password is assigned by executing the command: passwd cfuser 4. Locate the file coldfusion_11 by running the command: find / -name coldfusion_11 5. Change to the directory where the file is located. 6. Edit the coldfusion_11 file. 7. Locate the text RUNTIME_USER= within coldfusion_11 8. Update the user account being used to run the ColdFusion service.

b
ColdFusion accounts with access to the Administrator Console must be approved.
CM-6 - Medium - CCI-000366 - V-237181 - SV-237181r641638_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CF11-03-000112
Vuln IDs
  • V-237181
  • V-62435
Rule IDs
  • SV-237181r641638_rule
  • SV-76925
ColdFusion offers an Administrator Console that is used to setup ColdFusion. The console allows the administrator to setup user accounts, user privileges, logging, data sources, etc. These accounts, once setup, do not automatically lock after a set duration of inactivity or any other security event that would require automatic locking or deletion. This would enable an account for a user who either left the organization or changed job roles, to continue access the console until the account is manually deleted. To make certain that the user accounts are only those that are needed, the accounts must be approved by the ISSM.
Checks: C-40400r641636_chk

Review the users within the "User Manager" page under the "Security" menu. If users exist that are not approved by the ISSM, this is a finding.

Fix: F-40363r641637_fix

Navigate to the "User Manager" page under the "Security" menu. Modify the list of users to only contain those approved by the ISSM.

b
ColdFusion must protect newly created objects.
CM-6 - Medium - CCI-000366 - V-237182 - SV-237182r641641_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CF11-03-000113
Vuln IDs
  • V-237182
  • V-62437
Rule IDs
  • SV-237182r641641_rule
  • SV-76927
During operation, ColdFusion may create objects such as files to store parameters or log data, or pipes to share data between objects. When the objects are created, it is important that the newly created object has the correct permissions. This can be performed by assigning the proper umask value to the running process. For the ColdFusion service, the umask must be set to 007 or more restrictive.
Checks: C-40401r641639_chk

For ColdFusion running on Windows, this finding is not applicable. ColdFusion running on Linux: 1. Locate the file coldfusion_11 by running the command: find / -name coldfusion_11 2. Change to the directory where the file is located. 3. Edit the coldfusion_11 file. 4. Locate the umask setting. It should be located near the top of the file, but below the #description comment. If the umask is not set to 007 or more restrictive, this is a finding.

Fix: F-40364r641640_fix

For ColdFusion running on Windows, this finding is not applicable. 1. Locate the file coldfusion_11 by running the command: find / -name coldfusion_11 2. Change to the directory where the file is located. 3. Edit the coldfusion_11 file. 4. Add the umask setting near the top of the file, but below the #description comment. A sample umask setting looks like: umask 007

b
ColdFusion must have Sandbox Security enabled.
CM-6 - Medium - CCI-000366 - V-237183 - SV-237183r641644_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CF11-03-000114
Vuln IDs
  • V-237183
  • V-62439
Rule IDs
  • SV-237183r641644_rule
  • SV-76929
Application isolation allows multiple applications to run on the same hosting operating system, web server and application server. Typical reasons to isolate applications are to separate different application user bases, data security levels, protect application resources, and to give least privileges to each application to system resources. Application isolation will also contain an application that has been compromised from compromising other hosted applications. To allow sandboxing to be implemented, the feature must be enabled.
Checks: C-40402r641642_chk

Within the Administrator Console, navigate to the "Sandbox Security" page under the "Security" menu. If "Enable ColdFusion Sandbox Security" is unchecked, this is a finding.

Fix: F-40365r641643_fix

Navigate to the "Sandbox Security" page under the "Security" menu. Check "Enable ColdFusion Sandbox Security" and select the "Submit Changes" button.

b
ColdFusion must have Sandboxes defined for application execution.
CM-6 - Medium - CCI-000366 - V-237184 - SV-237184r641647_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CF11-03-000115
Vuln IDs
  • V-237184
  • V-62441
Rule IDs
  • SV-237184r641647_rule
  • SV-76931
Application isolation allows multiple applications to run on the same hosting operating system, web server and application server. Typical reasons to isolate applications are to separate different application user bases, data security levels, protect application resources, and to give least privileges to each application to system resources. Application isolation will also contain an application that has been compromised from compromising other hosted applications. To implement sandboxing, sandboxes must be setup to separate applications. Enabling the feature without implementing sandboxes does not secure the system.
Checks: C-40403r641645_chk

Within the Administrator Console, navigate to the "Sandbox Security" page under the "Security" menu. Sandboxes should be setup for the Administrator Console and any other hosted applications. The Administrator Console must have its own sandbox separate from the other hosted applications. If there are no sandboxes implemented for the Administrator Console and the other hosted applications, this is a finding.

Fix: F-40366r641646_fix

Navigate to the "Sandbox Security" page under the "Security" menu. Create sandboxes for the applications to operate within and select the "Submit Changes" button.

b
ColdFusion must have the Default ScriptSrc Directory set to a non-default value.
CM-6 - Medium - CCI-000366 - V-237185 - SV-237185r641650_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CF11-03-000116
Vuln IDs
  • V-237185
  • V-62443
Rule IDs
  • SV-237185r641650_rule
  • SV-76933
The scripts directory contains common javascript code that may be used by the hosted applications. This code is offered to help the developer with common data controls and functions aiding in the quick development of applications. Unfortunately, this code has also been known to have security vulnerabilities. Because of this, many of the ColdFusion hacking tools look for this directory in the default location searching for files with known vulnerabilities. By moving the directory to a non-default location, the hacking tools are unable to find the directory making it more difficult for the attacker.
Checks: C-40404r641648_chk

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If the "Default ScriptSrc Directory" is set to /CFIDE/scripts/", this is a finding.

Fix: F-40367r641649_fix

Navigate to the "Settings" page under the "Server Settings" menu. Enter the new location for the ScriptSrc Directory.

c
Unsupported versions of ColdFusion must be uninstalled or upgraded
CM-6 - High - CCI-000366 - V-237186 - SV-237186r766577_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
CF11-03-000117
Vuln IDs
  • V-237186
  • V-62445
Rule IDs
  • SV-237186r766577_rule
  • SV-76935
Without the current update installed, the product may be unstable or become a target for an attacker who can take advantage of a known exploit. ColdFusion 11 is no longer supported by the vendor. Unsupported versions of ColdFusion must be uninstalled or upgraded as part of an approved application management process.
Checks: C-40405r766575_chk

Open the ColdFusion Administrator Console. Check the version of ColdFusion. If the system is running ColdFusion 11, this is a finding.

Fix: F-40368r766576_fix

Upgrade ColdFusion to a supported version or uninstall the application. All upgrade or uninstall actions should be executed in accordance with an approved application management plan.

b
ColdFusion must have example collections removed.
CM-7 - Medium - CCI-000381 - V-237187 - SV-237187r641656_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
CF11-03-000118
Vuln IDs
  • V-237187
  • V-62447
Rule IDs
  • SV-237187r641656_rule
  • SV-76937
ColdFusion is installed with sample data services, gateway services, and collections. These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issues. Allowing them to be available on a production system provides a gateway to an attacker to the application server and to those systems connected to ColdFusion. To alleviate this issue, sample code and services must be deleted.
Checks: C-40406r641654_chk

Several sample services are installed with the ColdFusion server. From the Administrator Console, go to the "ColdFusion Collections" page under the "Data &amp; Services" menu. If the bookclub collection exists, this is a finding.

Fix: F-40369r641655_fix

Remove the sample collections by navigating to the "ColdFusion Collections" page under the "Data & Services" menu. Delete the bookclub collection.

b
ColdFusion must have example gateway instances removed.
CM-7 - Medium - CCI-000381 - V-237188 - SV-237188r641659_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
CF11-03-000119
Vuln IDs
  • V-237188
  • V-62449
Rule IDs
  • SV-237188r641659_rule
  • SV-76939
ColdFusion is installed with sample data services, gateway services, and collections. These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issues. Allowing them to be available on a production system provides a gateway to an attacker to the application server and to those systems connected to ColdFusion. To alleviate this issue, sample code and services must be deleted.
Checks: C-40407r641657_chk

Several sample services are installed with the ColdFusion server. From the Administrator Console, go to the "Gateway Instances" page under the "Event Gateways" menu. If the Gateway Instance SMS Menu App. exists, this is a finding.

Fix: F-40370r641658_fix

Remove the sample gateway instances by navigating to the "Gateway Instances" page under the "Event Gateways" menu. Delete the Gateway Instance SMS Menu App.

b
ColdFusion must authenticate users individually.
IA-2 - Medium - CCI-000770 - V-237189 - SV-237189r641662_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000770
Version
CF11-04-000128
Vuln IDs
  • V-237189
  • V-62451
Rule IDs
  • SV-237189r641662_rule
  • SV-76941
To assure individual accountability and prevent unauthorized access, application server users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. ColdFusion is installed with a Root Administrator Account. This account is configured during the installation phase. This account should only be used for initial setup before user accounts are created and should not be used for day-to-day operations. When used as a group account, accountability, along with least privileges for the users, is lost.
Checks: C-40408r641660_chk

Within the Administrator Console, navigate to the "User Manager" page under the "Security" menu. If there are no defined users, this is a finding.

Fix: F-40371r641661_fix

Navigate to the "User Manager" page under the "Security" menu. Create users that need access to the Administrator Console providing only the roles necessary to perform each job function.

b
ColdFusion must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.
IA-2 - Medium - CCI-001941 - V-237190 - SV-237190r641665_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-001941
Version
CF11-04-000129
Vuln IDs
  • V-237190
  • V-62453
Rule IDs
  • SV-237190r641665_rule
  • SV-76943
Application servers may provide a web services capability that could be leveraged to allow remote access to sensitive application data. Many web services utilize SOAP, which in turn utilizes XML and HTTP as a transport. Natively, SOAP does not provide security protections. As such, the application server must provide security extensions to enhance SOAP capabilities to ensure that secure authentication mechanisms are employed to protect sensitive data. The ws-security suite is a widely used and acceptable SOAP security extension. ColdFusion offers SOAP capabilities but does not offer any type of security for these services. In order to extend the security of the SOAP protocol, an administrator must install the ws-security suite to enhance SOAP through Java Web Services and configure the ws-security features within the new object. This new object then becomes the wrapper for the SOAP communication, securing the sensitive data.
Checks: C-40409r641663_chk

Determine if web services are published using the SOAP protocol to access sensitive data. This may be determined by interviewing the administrator or by reviewing hosted applications code, hosted application design documentation, published web services design documentation or ColdFusion baseline documentation. If web services are not published, this finding is not applicable. If web services are published, but the SOAP protocol is not used, this finding is not applicable. If web services are published and the SOAP protocol is used to access data, but the data is not sensitive, this finding is not applicable. Determine if the ws-security suite is in place to provide secure authentication to the sensitive data by interviewing the administrator or by reviewing hosted applications code, hosted application design documentation, published web services design documentation or ColdFusion baseline documentation. If web services are published using the SOAP protocol to access sensitive data and the ws-security suite is not used to secure the access, this is a finding.

Fix: F-40372r641664_fix

If web services are not published, this finding is not applicable. If web services are published, but the SOAP protocol is not used, this finding is not applicable. If web services are published and the SOAP protocol is used to access data, but the data is not sensitive, this finding is not applicable. Install the ws-security suite to secure access to sensitive data.

b
ColdFusion must transmit only encrypted representations of passwords for Flex Integration.
IA-5 - Medium - CCI-000197 - V-237191 - SV-237191r641668_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000197
Version
CF11-04-000133
Vuln IDs
  • V-237191
  • V-62455
Rule IDs
  • SV-237191r641668_rule
  • SV-76945
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. ColdFusion offers RMI communication between Flex and ColdFusion. The communication between the two will require authentication data. When authentication data is transmitted, the data must be encrypted to protect it from discovery. This can be done by enabling RMI over SSL within the Administrator Console.
Checks: C-40410r641666_chk

Within the Administrator Console, navigate to the "Flex Integration" page under the "Data &amp; Services" menu. Ask the administrator if Flex is being used and if user credentials are being used for authentication. If user credentials are being used for Flex authentication to ColdFusion and "Enable RMI over SSL for Data Management" is not checked, this is a finding.

Fix: F-40373r641667_fix

Navigate to the "Flex Integration" page under the "Data & Services" menu. Check "Enable RMI over SSL for Data Management" and select the "Submit Changes" button.

b
The ColdFusion Administrator Console must transmit only encrypted representations of passwords.
IA-5 - Medium - CCI-000197 - V-237192 - SV-237192r641671_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000197
Version
CF11-04-000134
Vuln IDs
  • V-237192
  • V-62457
Rule IDs
  • SV-237192r641671_rule
  • SV-76947
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. ColdFusion uses username and password for users to authenticate to the Administrator Console. When these credentials are sent in plaintext, an attacker can capture the information and use the credentials to log on to the console, creating objects, connections, and accounts for later use. The attacker will also have access to information stored for connections to other systems that ColdFusion may be connected to for data retrieval.
Checks: C-40411r641669_chk

Access the Administrator Console through a web browser. Look for indications that the communication is an https session through the prefix of https on the url and/or the lock icon, depending on the browser in use. If https does not appear to be in use, this is a finding.

Fix: F-40374r641670_fix

Review the documentation for the web server where the Administrator Console is being hosted and setup https encryption to protect passwords during the authentication process.

b
ColdFusion must transmit only encrypted representations of passwords to the mail server.
IA-5 - Medium - CCI-000197 - V-237193 - SV-237193r641674_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000197
Version
CF11-04-000135
Vuln IDs
  • V-237193
  • V-62459
Rule IDs
  • SV-237193r641674_rule
  • SV-76949
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. ColdFusion may use username/password to connect to a mail server. When this authentication method is used, it is important that the credentials be protected when transmitted by being encrypted. While TLS encryption is the preferred method by DoD, SSL can be used when the mail server does not offer any other method of encryption.
Checks: C-40412r641672_chk

Within the Administrator Console, navigate to the "Mail" page under the "Server Settings" menu. If a user name and password are required for authentication and "Enable TLS connection to mail server" is unchecked and "Enable SSL socket connects to mail server" is unchecked, this is a finding.

Fix: F-40375r641673_fix

Navigate to the "Mail" page under the "Server Settings" menu. Enable SSL/TLS by checking "Enable SSL socket connections to mail server" and/or "Enable TLS connection to mail server" options and select the "Submit Changes" button.

b
Only authenticated system administrators or the designated PKI Sponsor for ColdFusion must have access to ColdFusions private key.
IA-5 - Medium - CCI-000186 - V-237194 - SV-237194r641677_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000186
Version
CF11-04-000138
Vuln IDs
  • V-237194
  • V-62461
Rule IDs
  • SV-237194r641677_rule
  • SV-76951
The cornerstone of PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and can pretend to be the authorized user. Both the holders of a digital certificate and the issuing authority must protect the private keys. Java-based application servers, such as ColdFusion, utilize the Java keystore, which provides storage for cryptographic keys and certificates. ColdFusion uses the keystore to store private keys for ColdFusion WebSockets and for Flex Integration.
Checks: C-40413r641675_chk

Within the Administrator Console, navigate to the "Flex Integration" page under the "Data &amp; Services" menu. If "Enable RMI over SSL for Data Management" is checked, make note of the path and filename of the keystore used. Navigate to the "WebSocket" page under the "Server Settings" menu. If "SSL Port" is checked, make note of the keystore path and filename. Review the permissions on the files designated in the keystore locations specified. ColdFusion running on Windows should have full control for the Administrators group and the user running ColdFusion on the keystore file. No other users should have permissions. If permissions are granted to other users or roles, this is a finding. If ColdFusion is installed on Linux, the permissions must be 750 or more restrictive with the owner set to the user running the ColdFusion service and a group of root. If the permissions are more permissive, this is a finding.

Fix: F-40376r641676_fix

Locate the keystore file(s). The location can be found in the Administrator Console within the "Flex Integration" page under the "Data & Services" menu and within the "WebSocket" page under the "Server Settings" menu. The keystore(s) should have the following permissions: ColdFusion running on Windows: 1. Right click on the keystore and select "Properties". 2. Click on the "Security" tab and then click the "Advanced" button. 3. On the "Permissions" tab, click the "Disable inheritance" button and select "Remove all inherited permissions from this object." 4. Click the "Add" button, in the permission Entry dialog, click 'Select a principal." 5. Enter the user that is running the ColdFusion service and give this user Full control and click "OK" to save. 6. Click the "Add" button again, in the permission Entry dialog, click "Select a principal." 7. Enter the Administrators group and give the group Full control and click "OK" to save. 8. Check the checkbox to "Replace all child object permission entries with inheritable permission entries from this object." 9. Click "OK" to apply these permissions. ColdFusion running on Linux: Use the chmod command to set the permissions correctly and chown to set the owner and group. For example, if the keystore is named /opt/cf11/jre/lib/security/cacerts and you want to set the owner to cfuser, the commands would be: chown cfuser:root /opt/cf11/jre/lib/security/cacerts chmod 750 /opt/cf11/jre/lib/security/cacerts

b
The ColdFusion Administrator Console must be hosted on a management network.
SC-2 - Medium - CCI-001082 - V-237195 - SV-237195r641680_rule
RMF Control
SC-2
Severity
Medium
CCI
CCI-001082
Version
CF11-05-000161
Vuln IDs
  • V-237195
  • V-62463
Rule IDs
  • SV-237195r641680_rule
  • SV-76953
ColdFusion consists of the Administrator Console and hosted applications. By separating the Administrator Console from hosted applications, the user must authenticate as a privileged user to the Administrator Console before being presented with management functionality. This prevents non-privileged users from having visibility to functions not available to the user. By limiting visibility, a compromised non-privileged account does not offer information to the attacker to functionality and information needed to further the attack on the application server. By hosting the Administrator Console on a management-only network, the console is protected from hosted application users, is isolated to only management devices, is not vulnerable to accidental discovery, and most management networks encrypt all traffic protecting management data from accidental disclosure.
Checks: C-40414r641678_chk

Access the Administrator Console through a browser making note of the IP address that is used to access the console. Review the site's network diagram to validate that the IP used is on a management network and is separate from the public network. If the Administrator Console is not part of a management network, this is a finding.

Fix: F-40377r641679_fix

Host the ColdFusion Administrator Console on a management network.

b
The ColdFusion Administrator Console must be hosted in a management sandbox.
SC-2 - Medium - CCI-001082 - V-237196 - SV-237196r641683_rule
RMF Control
SC-2
Severity
Medium
CCI
CCI-001082
Version
CF11-05-000162
Vuln IDs
  • V-237196
  • V-62465
Rule IDs
  • SV-237196r641683_rule
  • SV-76955
ColdFusion consists of the Administrator Console and hosted applications. By separating the Administrator Console from hosted applications, the user must authenticate as a privileged user to the Administrator Console before being presented with management functionality. This prevents non-privileged users from having visibility to functions not available to the user. By limiting visibility, a compromised non-privileged account does not offer information to the attacker to functionality and information needed to further the attack on the application server. By hosting the Administrator Console within its own sandbox from other hosted applications, the administrative objects are protected from reuse and modification by the other hosted applications.
Checks: C-40415r641681_chk

Within the Administrator Console, navigate to the "Sandbox Security" page under the "Security" menu. If the Administrator Console is not hosted within a sandbox, this is a finding.

Fix: F-40378r641682_fix

Navigate to the "Sandbox Security" page under the "Security" menu. Create sandbox for the Administrator Console to operate within and select the "Submit Changes" button.

b
ColdFusion must disable creation of unnamed applications.
SC-2 - Medium - CCI-001082 - V-237197 - SV-237197r641686_rule
RMF Control
SC-2
Severity
Medium
CCI
CCI-001082
Version
CF11-05-000163
Vuln IDs
  • V-237197
  • V-62467
Rule IDs
  • SV-237197r641686_rule
  • SV-76957
ColdFusion allows applications to be named or unnamed. The application name allows the developer to scope the application or define a logical application and allows for the separation of applications. When an application is unnamed, the application scope corresponds to the ColdFusion JEE servlet context. This also means that the application session corresponds directly to the session object of the JEE application server. Having unnamed applications is only necessary when the ColdFusion pages must share application or session scope data with existing JSP pages and servlets. Disabling the ability for unnamed applications allows the Administrator Console and all the other hosted applications to be isolated from each other.
Checks: C-40416r641684_chk

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If "Disable creation of unnamed applications" is unchecked, this is a finding.

Fix: F-40379r641685_fix

Navigate to the "Settings" page under the "Server Settings" menu. Check "Disable creation of unnamed applications" and select the "Submit Changes" button.

b
ColdFusion must not allow application variables to be added to Servlet Context.
SC-2 - Medium - CCI-001082 - V-237198 - SV-237198r641689_rule
RMF Control
SC-2
Severity
Medium
CCI
CCI-001082
Version
CF11-05-000164
Vuln IDs
  • V-237198
  • V-62469
Rule IDs
  • SV-237198r641689_rule
  • SV-76959
ColdFusion allows applications to add application variables to the Servlet Context. This allows an application to add data or change configuration data for all hosted applications. By sharing data across applications, the applications are no longer isolated with one application affecting other applications. By disabling this capability, the hosted applications, including the Administrator Console, are isolated.
Checks: C-40417r641687_chk

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If "Allow adding application variables to Servlet Context" is checked, this is a finding.

Fix: F-40380r641688_fix

Navigate to the "Settings" page under the "Server Settings" menu. Uncheck "Allow adding application variables to Servlet Context" and select the "Submit Changes" button.

b
ColdFusion must enable UUID for session identifier generation.
SC-23 - Medium - CCI-001664 - V-237199 - SV-237199r641692_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001664
Version
CF11-05-000167
Vuln IDs
  • V-237199
  • V-62471
Rule IDs
  • SV-237199r641692_rule
  • SV-76961
Unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of session identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. ColdFusion offers session ID randomness and uniqueness by enabling UUID for the session ID. Without this option enabled, session values are sequential and become easy to hijack through guessing.
Checks: C-40418r641690_chk

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If "Use UUID for cftoken" is not checked, this is a finding.

Fix: F-40381r641691_fix

Navigate to the "Settings" page under the "Server Settings" menu. Check "Use UUID for cftoken" and select the "Submit Changes" button.

b
ColdFusion must use J2EE session variables.
SC-23 - Medium - CCI-001664 - V-237200 - SV-237200r641695_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001664
Version
CF11-05-000168
Vuln IDs
  • V-237200
  • V-62473
Rule IDs
  • SV-237200r641695_rule
  • SV-76963
Unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of session identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. By enabling J2EE session management, each session is given a unique and non-sequential session id which is shared between the JVM and the ColdFusion application allowing for easier session management. J2EE session management stores the session data within a cookie stored in memory which will only exist while the session is valid. When J2EE sessions management is not used, the cookie is stored on the hard drive allowing for a cookie that can be easily harvested by an attacker.
Checks: C-40419r641693_chk

Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu. If "Use J2EE session variables" is not checked, this is a finding.

Fix: F-40382r641694_fix

Navigate to the "Memory Variables" page under the "Server Settings" menu. Check "Use J2EE session variables" and select the "Submit Changes" button.

b
ColdFusion must set session cookies as browser session cookies.
SC-23 - Medium - CCI-001664 - V-237201 - SV-237201r641698_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001664
Version
CF11-05-000169
Vuln IDs
  • V-237201
  • V-62475
Rule IDs
  • SV-237201r641698_rule
  • SV-76965
Generating a unique session identifier for each session inhibits an attacker from using an already authenticated session identifier that has not been invalidated. If an attacker is able to use an authenticated session, the attacker is given the privileges of the user who created the session. This may allow the attacker to generate user accounts for later use, change configuration settings, deploy an application or change application modules and code for already hosted applications, or see usernames for trusted relationships to other resources. It is important that each new session is given a new and unique session identifier and that old identifiers are discarded quickly. ColdFusion offers the capability to set session Cookies and all other Cookies to browser cookies. This means all cookies become invalid once the browser window is closed instead of setting a time to live to the cookie. Setting the cookies to browser cookies will ensure the session identifier is invalidated once the user ends the session through closing the browser.
Checks: C-40420r641696_chk

Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu. If "Cookie Timeout" is not set to -1, this is a finding.

Fix: F-40383r641697_fix

Navigate to the "Memory Variables" page under the "Server Settings" menu. Set the parameter "Cookie Timeout" to -1 and select the "Submit Changes" button.

b
ColdFusion must provide a clustering capability.
SC-24 - Medium - CCI-001190 - V-237202 - SV-237202r641701_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001190
Version
CF11-05-000173
Vuln IDs
  • V-237202
  • V-62477
Rule IDs
  • SV-237202r641701_rule
  • SV-76967
Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When application failure is encountered, preserving application state facilitates application restart and return to the operational mode of the organization with less disruption of mission/business processes. Clustering of multiple ColdFusion servers is a common approach to providing fail-safe application availability when the system criticality requires redundancy.
Checks: C-40421r641699_chk

This requirement is dependent upon system mission criticality. If the system is not mission critical and does not require redundancy, this finding is not applicable. Within the Administrator Console, navigate to the "Cluster Manager" under the "Enterprise Manager" menu. Verify that there are configured clusters with more than 1 server in each cluster. If there are no clusters defined or there is only one server in the cluster, this is a finding.

Fix: F-40384r641700_fix

Navigate to the "Cluster Manager" under the "Enterprise Manager" menu. Create a cluster by defining a name and adding it to the configured clusters. Edit the cluster to add available servers to the cluster and submit the changes to the cluster.

b
ColdFusion must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
SC-23 - Medium - CCI-002470 - V-237203 - SV-237203r641704_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-002470
Version
CF11-05-000178
Vuln IDs
  • V-237203
  • V-62479
Rule IDs
  • SV-237203r641704_rule
  • SV-76969
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. The application server must only allow the use of DoD PKI-established certificate authorities for verification. DoD-approved CAs can be found in the “installroot” tool on https://iase.disa.mil or in the Windows certificate store of the Windows Secure Host Baseline image. ColdFusion uses the underlying JVM and keystore for storing and certificates and for use within connections for data transfer. These certificates must be checked to ensure the certificates are from DoD PKI-established certificate authorities.
Checks: C-40422r641702_chk

Locate the cacerts file for the JVM. This can be done using the appropriate find command for the OS and change to the directory where the cacerts file is located. To view the certificates stored within this file, execute the java command keytool -list -v -keystore ./cacerts and verify that the Certificate Authority (CA) for each certificate is DoD-approved. If any certificates have a CA that is not DoD-approved, this is a finding.

Fix: F-40385r641703_fix

Locate the cacerts file for the JVM. This can be done using the appropriate find command for the OS and change to the directory where the cacerts file is located. Remove the certificates that have a CA that is non-DoD approved and import DoD CA-approved certificates.

b
ColdFusion, when part of a mission critical system, must be in a high-availability (HA) cluster.
SC-5 - Medium - CCI-002385 - V-237204 - SV-237204r641707_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CF11-05-000181
Vuln IDs
  • V-237204
  • V-62481
Rule IDs
  • SV-237204r641707_rule
  • SV-76971
A mission critical system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A mission critical system must maintain the highest level of integrity and availability. By High Availability (HA) clustering the ColdFusion application server, the hosted application and data are given a platform that is load-balanced and provides high-availability. Most HA clusters consist of two nodes, which is the minimum required for redundancy, but HA clusters can consist of many more nodes. ColdFusion does offer a clustering capability that must be used when the ColdFusion application server is part of a mission critical system.
Checks: C-40423r641705_chk

If ColdFusion is not part of a mission critical system, this requirement is not applicable. Within the Administrator Console, navigate to the "Instance Manager" page under the "Enterprise Manager" menu. Validate that two or more servers have been defined and that the servers are on different hosts. If there are fewer than two servers available or the servers are on the same host, this is a finding. Navigate to the "Cluster Manager" page under the "Enterprise Manager" menu. If there are no clusters defined or any cluster has fewer than two servers in the cluster, this is a finding.

Fix: F-40386r641706_fix

If ColdFusion is not part of a mission critical system, this requirement is not applicable. Within the Administrator Console, navigate to the "Instance Manager" page under the "Enterprise Manager" menu. Define two or more servers to be part of each cluster. Once the servers are defined for the cluster(s), navigate to the "Cluster Manager" page under the "Enterprise Manager" menu. Define clusters for your mission critical ColdFusion installation. Each defined cluster must contain two or more servers.

b
ColdFusion must not store user information in the server registry.
SC-5 - Medium - CCI-002385 - V-237205 - SV-237205r641710_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CF11-05-000182
Vuln IDs
  • V-237205
  • V-62483
Rule IDs
  • SV-237205r641710_rule
  • SV-76973
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards. These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework. One way to cause a DoS for ColdFusion is to fill the server hard drive with data or to cause registry purges on a large registry. Filling the drive with data can be achieved if applications have client management enabled and client data is stored within the registry. If a scheduled purge is performed on the registry, ColdFusion must load the entire registry into memory and look at each entry to determine if the entry needs to be purged. The purging process can use all of the available memory and 100% of the CPU for a process that may only delete a few entries. Also, the registry is typically located on the system partition. Because of these factors, the use of the registry to store client sessions must not be used.
Checks: C-40424r641708_chk

Within the Administrator Console, navigate to the "Client Variables" page under the "Server Settings" menu. If the default storage mechanism for client sessions is set to "Registry", this is a finding.

Fix: F-40387r641709_fix

Navigate to the "Client Variables" page under the "Server Settings" menu. Set the default storage mechanism for client sessions to any available mechanism other than the registry and select the "Apply" button.

b
ColdFusion must limit the maximum number of Flash Remoting requests.
SC-5 - Medium - CCI-002385 - V-237206 - SV-237206r641713_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CF11-05-000183
Vuln IDs
  • V-237206
  • V-62485
Rule IDs
  • SV-237206r641713_rule
  • SV-76975
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards. These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework. One way to cause a DoS for ColdFusion is to exhaust resources by using services that are not being monitored because of their nonuse by hosted applications. One of these services is Flash Remoting. Flash Remoting is a service that allows flash applications to interact with ColdFusion pages and, if being used, the number of simultaneous requests should be tuned using load testing to find the optimal value for the setting. When not in use, this setting must be set to 1.
Checks: C-40425r641711_chk

Within the Administrator Console, navigate to the "Request Tuning" page under the "Server Settings" menu. Ask the administrator if flash remoting is being used (Note: The Server Monitor feature in ColdFusion Enterprise makes use of flash remoting.). If flash remoting is being used, this finding is not applicable. If "Maximum number of simultaneous Flash Remoting requests" is not set to 1, this is a finding.

Fix: F-40388r641712_fix

If flash remoting is being used, this finding is not applicable. Navigate to the "Request Tuning" page under the "Server Settings" menu. Set "Maximum number of simultaneous Flash Remoting requests" to 1 and select the "Submit Changes" button.

c
ColdFusion must limit the SQL commands available.
SC-5 - High - CCI-002385 - V-237207 - SV-237207r641716_rule
RMF Control
SC-5
Severity
High
CCI
CCI-002385
Version
CF11-05-000184
Vuln IDs
  • V-237207
  • V-62487
Rule IDs
  • SV-237207r641716_rule
  • SV-76977
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards. These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework. Allowing hosted applications to execute SQL commands that create tables, change permissions on objects, create stored procedures, or drop objects allow an attacker to put the hosted application into a posture where it may not work correctly, display error messages that contains sensitive data that was not tested for during development, or cause an application to be unable to authenticate users. Any of these situations puts the system into a situation where the user is denied service to the application. Giving applications only those SQL commands needed to operate on data reduces this risk.
Checks: C-40426r641714_chk

Within the Administrator Console, navigate to the "Data Sources" page under the "Data &amp; Services" Settings menu. If there are no data sources defined, this finding is not applicable. Edit each data source and then view the advanced settings by pressing the "Show Advanced Settings" button. If any of the data sources have CREATE, GRANT, DROP, REVOKE or ALTER checked, this is a finding.

Fix: F-40389r641715_fix

If there are no data sources defined, this finding is not applicable. Navigate to the "Data Sources" page under the "Data & Services" Settings menu. Edit each data source and view the advanced settings. Uncheck the allow SQL of CREATE, GRANT, DROP, REVOKE and ALTER and select the "Submit" button.

b
ColdFusion must set a query timeout for Data Sources.
SC-5 - Medium - CCI-002385 - V-237208 - SV-237208r641719_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CF11-05-000185
Vuln IDs
  • V-237208
  • V-62489
Rule IDs
  • SV-237208r641719_rule
  • SV-76979
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards. These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework. One way to cause a DoS for ColdFusion is to exhaust resources by executing a query that will never return or timeout. By having no timeout set, this type of DoS would be available to an attacker. By setting a value greater than 0 (0 means no timeout), the query would be stopped and the resources released.
Checks: C-40427r641717_chk

Within the Administrator Console, navigate to the "Data Sources" page under the "Data &amp; Services" Settings menu. If there are no data sources defined, this finding is not applicable. Edit each data source and then view the advanced settings by pressing the "Show Advanced Settings" button. Check to see if the data source has the capability to specify a query timeout. If available, this parameter must not be 0 (No Timeout). If a data source does not have this setting, then this is not a finding for this data source. If any of the data sources have a query timeout set to 0, this is a finding.

Fix: F-40390r641718_fix

If there are no data sources defined, this finding is not applicable. Navigate to the "Data Sources" page under the "Data & Services" Settings menu. Edit each data source and view the advanced settings. If the data source has a query timeout parameter, set the timeout parameter to a value greater than 0 and select the "Submit" button.

b
ColdFusion must limit the maximum number of Web Service requests.
SC-5 - Medium - CCI-002385 - V-237209 - SV-237209r641722_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CF11-05-000186
Vuln IDs
  • V-237209
  • V-62491
Rule IDs
  • SV-237209r641722_rule
  • SV-76981
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards. These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework. One way to cause a DoS for ColdFusion is to exhaust resources by using services that are not being monitored because of their nonuse by hosted applications. One of these services is Web Services. Web Services are services that allow an application to publish SOAP web services and when being used, the number of simultaneous requests should be tuned using load testing to find the optimal value for the setting. When not in use, this setting must be set to 1.
Checks: C-40428r641720_chk

Determine if web services are being published for the hosted applications. This may be determined by interviewing the administrator or by reviewing hosted applications code, hosted application design documentation, published web services design documentation or ColdFusion baseline documentation. If Web Services are being published for hosted applications, this find is not applicable. Within the Administrator Console, navigate to the "Request Tuning" page under the "Server Settings" menu. If Web Services are not being published for hosted applications and the "Maximum number of simultaneous Web Service requests" is not set to 1, this is a finding.

Fix: F-40391r641721_fix

If Web Services are being published for hosted applications, this find is not applicable. Navigate to the "Request Tuning" page under the "Server Settings" menu. Set "Maximum number of simultaneous Web Service requests" to 1 and select the "Submit Changes" button.

b
ColdFusion must limit the maximum number of CFC function requests.
SC-5 - Medium - CCI-002385 - V-237210 - SV-237210r641725_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CF11-05-000187
Vuln IDs
  • V-237210
  • V-62493
Rule IDs
  • SV-237210r641725_rule
  • SV-76983
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards. These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework. One way to cause a DoS for ColdFusion is to exhaust resources by using services that are not being monitored because of their nonuse by hosted applications. One of these services is remote ColdFusion Component (CFC) requests. Remote CFC requests allow ColdFusion components to be called directly from an http/https url. If this feature is being used, the number of simultaneous requests should be tuned using load testing to find the optimal value for the setting. When the feature is not in use, the maximum number must be set to 1.
Checks: C-40429r641723_chk

Determine if CFC functions are being called directly from http/https for any hosted application. This may be determined by interviewing the administrator or by reviewing hosted applications code, hosted application design documentation or ColdFusion baseline documentation. If CFC requests are being used by hosted applications, this finding is not applicable. Within the Administrator Console, navigate to the "Request Tuning" page under the "Server Settings" menu. If the CFC requests are not being used by hosted applications and "Maximum number of simultaneous CFC function requests" is not set to 1, this is a finding.

Fix: F-40392r641724_fix

If CFC requests are being used by hosted applications, this finding is not applicable. Navigate to the "Request Tuning" page under the "Server Settings" menu. Set "Maximum number of simultaneous CFC function requests" to 1 and select the "Submit Changes" button.

b
ColdFusion must limit the maximum number of simultaneous Report threads.
SC-5 - Medium - CCI-002385 - V-237211 - SV-237211r641728_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CF11-05-000188
Vuln IDs
  • V-237211
  • V-62495
Rule IDs
  • SV-237211r641728_rule
  • SV-76985
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards. These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework. Report threads are used to process reports concurrently. Since reporting in most applications is a process that is not time sensitive or heavily used, this setting should be minimized to minimize resource use on the application server and to minimize a method that could be used to exhaust resources by an attacker. Unless reporting is heavily used, the number of simultaneous report threads must be set to 1.
Checks: C-40430r641726_chk

Within the Administrator Console, navigate to the "Request Tuning" page under the "Server Settings" menu. If "Maximum number of simultaneous Report threads" is not set to 1, this is a finding.

Fix: F-40393r641727_fix

Navigate to the "Request Tuning" page under the "Server Settings" menu. Set "Maximum number of simultaneous Report threads" to 1 and select the "Submit Changes" button.

b
ColdFusion must limit the maximum number of threads available for CFTHREAD.
SC-5 - Medium - CCI-002385 - V-237212 - SV-237212r641731_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CF11-05-000189
Vuln IDs
  • V-237212
  • V-62497
Rule IDs
  • SV-237212r641731_rule
  • SV-76987
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards. These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework. One way to cause a DoS for ColdFusion is to exhaust resources by using services that are not being monitored because of their nonuse by hosted applications. One of these services is the CFTHREAD function. CFTHREAD allows a programmer to create threads of code that execute independently. If this feature is being used, the maximum number of threads should be tuned. If set to high, this may lead to a context-switching situation. When this feature is not in use, the maximum number of threads must be 1.
Checks: C-40431r641729_chk

Within the Administrator Console, navigate to the "Request Tuning" page under the "Server Settings" menu. Ask the administrator if threading, calls to CFTHREAD, is being used by any of the hosted application. If threading is being used, this finding is not applicable. If threading is not being used and "Maximum number of threads available for CFTHREAD" is not set to 1, this is a finding.

Fix: F-40394r641730_fix

If threading is being used, this finding is not applicable. Navigate to the "Request Tuning page under the Server Settings" menu. Set "Maximum number of threads available for CFTHREAD" to 1 and select the "Submit Changes" button.

b
ColdFusion must set a timeout for requests.
SC-5 - Medium - CCI-002385 - V-237213 - SV-237213r641734_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CF11-05-000190
Vuln IDs
  • V-237213
  • V-62499
Rule IDs
  • SV-237213r641734_rule
  • SV-76989
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards. These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework. The "Timeout Requests after" setting is used to terminate requests that have not been fulfilled within the set time. This parameter prevents unusually long requests from occupying server resources and impairing performance or denying other requests. This setting is system dependent and may be changed based on the performance capabilities of the underlying system hardware. Unless custom system tuning parameters are required and specifically documented, this value should be set to "5" or less. The vendor also recommends the "Timeout requests waiting in queue after" setting be set to the same value.
Checks: C-40432r641732_chk

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. Review system documentation. Determine if the "Timeout Requests after" setting has been tuned to account for application and system performance. If "Timeout Requests after seconds" is not set to "5" or is not set in accordance with the documented tuning parameters, this is a finding.

Fix: F-40395r641733_fix

Navigate to the "Settings" page under the "Server Settings" menu. Check "Timeout Requests after seconds" and set the value to "5" or to the documented tuned value and select the "Submit Changes" button.

b
ColdFusion must set a timeout for logins.
SC-5 - Medium - CCI-002385 - V-237214 - SV-237214r641737_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CF11-05-000191
Vuln IDs
  • V-237214
  • V-62501
Rule IDs
  • SV-237214r641737_rule
  • SV-76991
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards. These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework. The "Login Timeout" setting is used to terminate login attempts on data sources that have not been fulfilled in the set time. This parameter prevents unusually long logins from occupying server resources and impairing performance. This value should be set to 5 or less and be less than or equal to the value for "Timeout Requests after" setting.
Checks: C-40433r641735_chk

Within the Administrator Console, navigate to the "Data Sources" page under the "Data &amp; Services" menu. If there are no data sources defined, this finding is not applicable. For each Data Source, view the "Login Timeout (sec)" setting within the Advanced Settings for the data source by editing the data source and then pressing the "Show Advanced Settings" button. If there are any data sources with a "Login Timeout (sec)" set higher than 5, this is a finding.

Fix: F-40396r641736_fix

Navigate to the "Data Sources" page under the "Data & Services" menu. Edit each data source and set the "Login Timeout (sec)" to 5 or less within the advanced settings for the data source.

b
ColdFusion must limit the time-out for requests waiting in the queue.
SC-5 - Medium - CCI-002385 - V-237215 - SV-237215r641740_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CF11-05-000192
Vuln IDs
  • V-237215
  • V-62503
Rule IDs
  • SV-237215r641740_rule
  • SV-76993
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards. These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework. By setting a timeout for requests in queue, the queue is kept clear and not filled by requests that can never be filled. If an attacker were able to fill the queue with requests that never expired, the system would eventually fail. For DoD systems, this setting must be set to 5 or lower and should match the "Timeout Requests After" value.
Checks: C-40434r641738_chk

Within the Administrator Console, navigate to the "Request Tuning" page under the "Server Settings" menu. If "Timeout requests waiting in queue after" setting is set higher than 5, this is a finding.

Fix: F-40397r641739_fix

Navigate to the "Request Tuning" page under the "Server Settings" menu. Set "Timeout requests waiting in queue after" to 5 or less and select the "Submit Changes" button.

a
ColdFusion must have a custom request queue time-out page.
SC-5 - Low - CCI-002385 - V-237216 - SV-237216r641743_rule
RMF Control
SC-5
Severity
Low
CCI
CCI-002385
Version
CF11-05-000193
Vuln IDs
  • V-237216
  • V-62505
Rule IDs
  • SV-237216r641743_rule
  • SV-76995
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards. These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework. Limiting the knowledge given to an attacker about the effects of his attack and possible solutions to further his attack is important. This is especially important when the attacker is trying to find the limits needed to exhaust resources and cause a DoS. To limit feedback to the attacker on his efforts, a custom time-out page should be used. The message returned should only inform the user that they should wait and retry their request again. The message must not disclose that the queue timed out.
Checks: C-40435r641741_chk

Within the Administrator Console, navigate to the "Request Tuning" page under the "Server Settings" menu. Validate that the "Request Queue Timeout Page" setting is set to a valid and custom page. If "Request Queue Timeout Page" is blank or is set to /CFIDE/administrator/templates/request_timeout_error.cfm, this is a finding. If a page is specified, validate that the file exist. The path and file given are relevant to the web servers' document root directory and not the OS root directory. For example, if the web servers' document root is /opt/webserver/wwwroot and the "Request Queue Timeout Page" is set to /CFIDE/administrator/templates/timeout_error.cfm, the full path to the template file is /opt/webserver/wwwroot/CFIDE/administrator/templates/timeout_error.cfm If the "Request Queue Timeout Page" setting is not set to a valid page, this is a finding.

Fix: F-40398r641742_fix

Navigate to the "Request Tuning" page under the "Server Settings" menu. Set "Request Queue Timeout Page" to a custom and valid error page and select the "Submit Changes" button.

b
ColdFusion must limit the maximum number of POST requests parameters.
SC-5 - Medium - CCI-002385 - V-237217 - SV-237217r641746_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CF11-05-000194
Vuln IDs
  • V-237217
  • V-62507
Rule IDs
  • SV-237217r641746_rule
  • SV-76997
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards. These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework. Limiting the number of POST requests to the maximum number of form fields on any given page within the hosted application is used to mitigate the DoS attack known as HashDOS. ColdFusion provides the postParameterLimit setting to address this risk. This is a tunable parameter that should be set as low as the application and the hardware will allow. If the system administrator has not documented and identified the specific setting value based on their specific application and system tuning requirements, this parameter must be set to "50" or less.
Checks: C-40436r641744_chk

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. Review system documentation. Determine if the "Maximum number of POST request parameters" setting has been tuned to account for application and system performance. If "Maximum number of POST request parameters" is not set to "50" or is not set in accordance with documented tuning parameters, this is a finding.

Fix: F-40399r641745_fix

Navigate to the "Settings" page under the "Server Settings" menu. Set "Maximum number of POST request parameters" to "50" or to the value specified in the documented tuning parameters and select the "Submit Changes" button.

b
ColdFusion must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.
SC-8 - Medium - CCI-002418 - V-237218 - SV-237218r641749_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
CF11-05-000195
Vuln IDs
  • V-237218
  • V-62509
Rule IDs
  • SV-237218r641749_rule
  • SV-76999
Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), but care must also be taken to safeguard against non-FIPS approved SSL versions being used. These older versions contain vulnerabilities that have been addressed in the newer FIPS 140-2 approved TLS releases. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. TLS must be enabled, and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. ColdFusion uses JVM to control the encryption of transmitted data. Settings for JVM can be controlled within the Administrator Console to configure the JVM to only use FIPS 140-2 approved TLS and disable non-FIPS SSL versions.
Checks: C-40437r641747_chk

Review the setting "JVM arguments" within the Administrator Console. These arguments can be found in the "Java and JVM" page accessed through the "Server Settings" menu option. The parameter -Dhttps.protocols is used to set the TLS versions that the JVM can use. Valid values for this setting must be TLS versions 1.0 or higher. An example settings to use TLS versions 1.2, 1.1 and 1.0 is -Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1 and an example to only use TLS version 1.2 is -Dhttps.protocols=TLSv1.2 If the "JVM arguments" setting does not contain the parameter -Dhttps.protocols or if the parameter -Dhttps.protocols contains any SSL versions, this is a finding.

Fix: F-40400r641748_fix

Navigate to the "JVM arguments" setting within the Administrator Console. These arguments can be found in the "Java and JVM" page accessed through the "Server Settings" menu option. Add the parameter -Dhttps.protocols and set the parameter to the TLS versions to be used. A sample setting to use TLSv1.2, TLSv1.1 and TLSv1 is -Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1. SSL versions must not be added to this parameter. Once the parameter is added to the JVM arguments, select the "Submit Changes" button to save the changes and restart the ColdFusion application server to have the changes take effect.

b
ColdFusion must encrypt cookies.
SC-8 - Medium - CCI-002418 - V-237219 - SV-237219r641752_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
CF11-05-000196
Vuln IDs
  • V-237219
  • V-62511
Rule IDs
  • SV-237219r641752_rule
  • SV-77001
Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of session cookies is especially important since an attacker can grab the session id and hijack the already authenticated session. There are several methods to protect cookie data, and one of those methods is to encrypt the cookie. This can only be done if all the hosted sites are SSL/TLS enabled.
Checks: C-40438r641750_chk

Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu. If "Secure Cookie" is not checked, this is a finding.

Fix: F-40401r641751_fix

Navigate to the "Memory Variables" page under the "Server Settings" menu. Check "Secure Cookie" and select the "Submit Changes" button.

b
ColdFusion must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
SC-8 - Medium - CCI-002421 - V-237220 - SV-237220r641755_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002421
Version
CF11-05-000197
Vuln IDs
  • V-237220
  • V-62513
Rule IDs
  • SV-237220r641755_rule
  • SV-77003
Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSec tunnel. If data in transit is unencrypted, it is vulnerable to disclosure and modification. If approved cryptographic algorithms are not used, encryption strength cannot be assured. ColdFusion uses the underlying JVM to handle transmission and receiving of data, but ColdFusion does offer to the programmer an encrypt API call to protect the data. This call can use multiple crypto methods, but using FIPS 140-2 is superior to those non-FIPS crypto methods to protect and detect changes to the data. Through JVM arguments set within ColdFusion, the programmer can be forced to only FIPS crypto methods.
Checks: C-40439r641753_chk

Within the Administrator Console, navigate to the "Java and JVM" page under the "Server Settings" menu. If the JVM argument-Dcoldfusion.enablefipscrypto=true cannot be found or -Dcoldfusion.enablefipscrypto is set to false, this is a finding.

Fix: F-40402r641754_fix

Navigate to the "Java and JVM" page under the "Server Settings" menu. Locate the JVM argument coldfusion.enablefipscrypto. If the argument cannot be found, add the argument as -Dcoldfusion.enablefipscrypto=true. If the parameter is defined but set to false, change the setting to true.

b
ColdFusion must encrypt patch retrieval.
SC-8 - Medium - CCI-002421 - V-237221 - SV-237221r641758_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002421
Version
CF11-05-000198
Vuln IDs
  • V-237221
  • V-62515
Rule IDs
  • SV-237221r641758_rule
  • SV-77005
Checking for patches and downloading those patches for installation must be done through an encrypted connection to protect the patch from modification during transmission and to avoid spoofed updates.
Checks: C-40440r641756_chk

If the Administrator Console is used to perform patch retrieval, navigate to the "Updates" page under the "Server Update" menu within the console and review the setting "Site URL" within the "Settings" tab. If the URL is not prefixed by https://, this is a finding. If a manual process is used to retrieve patches, verify that a documented process is in place that includes using an encrypted method to download the patches, e.g., VPN tunneling, Secure Copy (SCP), etc. If there is not a documented process or the process does not include an encrypted method to download patches, this is a finding.

Fix: F-40403r641757_fix

If the Administrator Console is used for patch retrieval, navigate to the "Updates" page under the "Server Update" menu within the console. Locate the "Site URL" setting on the "Settings" tab. Update the URL used for updates to be prefixed with https:// so that the communication is encrypted and select the "Submit Changes" button. If a manual process is used to retrieve patches, document the process to retrieve the patches that uses an encrypted method to download the patches, e.g., VPN tunneling, Secure Copy (SCP), etc.

b
ColdFusion must protect Session Cookies from being read by scripts.
SC-8 - Medium - CCI-002420 - V-237222 - SV-237222r641761_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002420
Version
CF11-05-000199
Vuln IDs
  • V-237222
  • V-62517
Rule IDs
  • SV-237222r641761_rule
  • SV-77007
A cookie can be read by client-side scripts easily if cookie properties are not set properly during preparation for transmission. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e., HTTPOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie.
Checks: C-40441r641759_chk

Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu. If "HTTPOnly" is unchecked, this is a finding.

Fix: F-40404r641760_fix

Navigate to the "Memory Variables" page under the "Server Settings" menu. Check "HTTPOnly" and select the "Submit Changes" button.

c
ColdFusion must prevent JavaScript Object Notation (JSON) hijacking of data.
SC-8 - High - CCI-002420 - V-237223 - SV-237223r641764_rule
RMF Control
SC-8
Severity
High
CCI
CCI-002420
Version
CF11-05-000200
Vuln IDs
  • V-237223
  • V-62519
Rule IDs
  • SV-237223r641764_rule
  • SV-77009
Information can be either unintentionally or maliciously disclosed if not protected during preparation for transmission. An easy way to protect data during preparation for transmission is to use non-default identifiers for data. An example is for JavaScript Object Notation (JSON) to use a prefix other than the default "JSON" prefix, signifying to an attacker an array of data is following. JSON is a lightweight data-interchange format.
Checks: C-40442r641762_chk

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If the "Prefix serialized JSON with" is unchecked, this is a finding.

Fix: F-40405r641763_fix

Navigate to the "Settings" page under the "Server Settings" menu. Check "Prefix serialized JSON with" and select the "Submit Changes" button.

b
ColdFusion must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
SC-13 - Medium - CCI-002450 - V-237224 - SV-237224r641767_rule
RMF Control
SC-13
Severity
Medium
CCI
CCI-002450
Version
CF11-05-000203
Vuln IDs
  • V-237224
  • V-62521
Rule IDs
  • SV-237224r641767_rule
  • SV-77011
Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The application server must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business-to-business transactions. ColdFusion uses an underlying JVM for communication and certificate storage. To validate that the proper certificates are in use, the keystore must be checked.
Checks: C-40443r641765_chk

Interview the administrator to determine if ColdFusion is using certificates for PKI. If ColdFusion is not performing any PKI functions, this finding is not applicable. The CA certs are usually stored in a file called cacerts located in the directory $JAVA_HOME/jre/lib/security. If the file is not in this location, use a search command to locate the file or ask the administrator where the certificate store is located. Open a dos shell or terminal window and change to the location of the certificate store. To view the certificates within the certificate store, run the command (In this example, the keystore file is cacerts.): keytool -list -v -keystore cacerts Locate the "OU" field for each certificate within the keystore. The field should contain either DoD or CNSS as the Organizational Unit (OU). If the OU does not show that the certificates are DoD or CNSS supplied, this is a finding.

Fix: F-40406r641766_fix

Request a CNSS or DoD Class 3 or Class 4 certificate and add it to the keystore to be used for PKI communication.

b
The ColdFusion missing template handler must be valid.
SI-11 - Medium - CCI-001312 - V-237225 - SV-237225r641770_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
CF11-06-000216
Vuln IDs
  • V-237225
  • V-62523
Rule IDs
  • SV-237225r641770_rule
  • SV-77013
The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The missing template handler is used much like the 404 handler for a web server. When the missing template handler is blank, a potential attacker may be sent information that reveals the ColdFusion version number. Once the attacker has the version of ColdFusion being used, he can begin looking for specific attacks the version may be vulnerable to if not patched and secured properly.
Checks: C-40444r641768_chk

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. Validate that the "Missing Template Handler" setting is not blank and that the template specified is a valid. If the "Missing Template Handler" parameter is blank, this is a finding. If a template is specified, validate that the template exist. The path and file given are relevant to the web servers' document root directory and not the OS root directory. For example, if the web servers' document root is /opt/webserver/wwwroot and the "Missing Template Handler" is set to /CFIDE/administrator/templates/missing_template_error.cfm, the full path to the template file is /opt/webserver/wwwroot/CFIDE/administrator/templates/missing_template_error.cfm If the "Missing Template Handler" setting is not a valid file, this is a finding.

Fix: F-40407r641769_fix

Navigate to the "Settings" page under the "Server Settings" menu. Specify a valid handler for missing templates and select the "Submit Changes" button.

b
The ColdFusion site-wide error handler must be valid.
SI-11 - Medium - CCI-001312 - V-237226 - SV-237226r641773_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
CF11-06-000217
Vuln IDs
  • V-237226
  • V-62525
Rule IDs
  • SV-237226r641773_rule
  • SV-77015
The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. When the site-wide error handler is blank, information can be presented to an attacker that may expose the cause of exceptions. Having this information, the attacker can then begin attacking this error trying to get the server to fail and cause a DoS, expose PII, or gain access to server resources. A custom site-wide error handler should be created and used that discloses the same generic message to the user for all exceptions and the error must be logged so that the error can be investigated.
Checks: C-40445r641771_chk

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. Validate that the "Site-wide Error Handler" setting is not blank and that the template specified is valid. If the "Site-wide Error Handler" parameter is blank, this is a finding. If a template is specified, validate that the template exist. The path and file given are relevant to the web servers' document root directory and not the OS root directory. For example, if the web server's document root is /opt/webserver/wwwroot and the "Site-wide Error Handler" is set to /CFIDE/administrator/templates/secure_profile_error.cfm, the full path to the template file is /opt/webserver/wwwroot/CFIDE/administrator/templates/secure_profile_error.cfm If the "Site-wide Error Handler" setting is not a valid file, this is a finding.

Fix: F-40408r641772_fix

Navigate to the "Settings" page under the "Server Settings" menu. Specify a custom and valid site-wide error handler and select the "Submit Changes" button.

c
ColdFusion must have Robust Exception Information disabled.
SI-11 - High - CCI-001312 - V-237227 - SV-237227r641776_rule
RMF Control
SI-11
Severity
High
CCI
CCI-001312
Version
CF11-06-000218
Vuln IDs
  • V-237227
  • V-62527
Rule IDs
  • SV-237227r641776_rule
  • SV-77017
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. ColdFusion is a development and deployment framework. To handle this role properly, ColdFusion offers several debugging and logging facilities that must be disabled in a production environment. If left enabled, these settings can expose sensitive data within error and log messages.
Checks: C-40446r641774_chk

Within the Administrator Console, navigate to the "Debug Output Settings" page under the "Debugging &amp; Output Settings" menu. If "Enable Robust Exception Information" is checked, this is a finding.

Fix: F-40409r641775_fix

Navigate to the "Debug Output Settings" page under the "Debugging & Output Settings" menu. Uncheck "Enable Robust Exception Information" and select the "Submit Changes" button.

c
ColdFusion must have AJAX Debug Log Window disabled.
SI-11 - High - CCI-001312 - V-237228 - SV-237228r641779_rule
RMF Control
SI-11
Severity
High
CCI
CCI-001312
Version
CF11-06-000219
Vuln IDs
  • V-237228
  • V-62529
Rule IDs
  • SV-237228r641779_rule
  • SV-77019
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. Allowing the AJAX Debug Log Window to be enabled allows a user to send AJAX debug messages back to a client. The log data sent is meant to be used in a development environment and used to fix errors in AJAX code. Once the application is developed and is moved to production, debugging is not needed and this feature must be disabled.
Checks: C-40447r641777_chk

Within the Administrator Console, navigate to the "Debug Output Settings" page under the "Debugging &amp; Output Settings" menu. If "Enable AJAX Debug Log Window" is checked, this is a finding.

Fix: F-40410r641778_fix

Navigate to the "Debug Output Settings" page under the "Debugging & Output Settings" menu. Uncheck "Enable AJAX Debug Log Window" and select the "Submit Changes" button.

c
ColdFusion must have Request Debugging Output disabled.
SI-11 - High - CCI-001312 - V-237229 - SV-237229r641782_rule
RMF Control
SI-11
Severity
High
CCI
CCI-001312
Version
CF11-06-000220
Vuln IDs
  • V-237229
  • V-62531
Rule IDs
  • SV-237229r641782_rule
  • SV-77021
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. The option to enable request debugging output is another tool that a developer can use during the development phase of the hosted application. This feature appends debugging information to the end of each CFML request. Once a hosted application is moved from the development phase to production, the need for debug information is no longer valid.
Checks: C-40448r641780_chk

Within the Administrator Console, navigate to the "Debug Output Settings" page under the "Debugging &amp; Output Settings" menu. If "Enable Request Debugging Output" is checked, this is a finding.

Fix: F-40411r641781_fix

Navigate to the "Debug Output Settings" page under the "Debugging & Output Settings" menu. Uncheck "Enable Request Debugging Output" and select the "Submit Changes" button.

c
ColdFusion must have Allow Line Debugging disabled.
SI-11 - High - CCI-001312 - V-237230 - SV-237230r641785_rule
RMF Control
SI-11
Severity
High
CCI
CCI-001312
Version
CF11-06-000221
Vuln IDs
  • V-237230
  • V-62533
Rule IDs
  • SV-237230r641785_rule
  • SV-77023
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. The option to allow line debugging is enabled when a developer wants to trace code through a debugger such as Eclipse. Debugging must not be performed on a production server, and this option must be disabled.
Checks: C-40449r641783_chk

Within the Administrator Console, navigate to the "Debugger Settings" page under the "Debugging &amp; Output Settings" menu. If "Allow Line Debugging" is checked, this is a finding.

Fix: F-40412r641784_fix

Navigate to the "Debugger Settings" page under the "Debugging & Output Settings" menu. Uncheck "Allow Line Debugging" and select the "Submit Changes" button.

b
The ColdFusion error messages must be restricted to only authorized users.
SI-11 - Medium - CCI-001314 - V-237231 - SV-237231r641788_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
CF11-06-000222
Vuln IDs
  • V-237231
  • V-62535
Rule IDs
  • SV-237231r641788_rule
  • SV-77025
If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Application servers must protect the error messages that are created by the application server. All application server users' accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.
Checks: C-40450r641786_chk

Within the Administrator Console, navigate to the "User Manager" page under the "Security" menu. Review each defined user and ask the SA if the user should have access to read error messages. For each user that should not be able to read error messages, review the roles assigned to the user account. If any user has the Debugging and Logging&gt;Logging role that should not be able to read error messages, this is a finding.

Fix: F-40413r641787_fix

Navigate to the "User Manager" page under the "Security" menu. Remove the "Debugging and Logging>Logging" role from each user that should not have access to read error messages.

b
ColdFusion must have ColdFusion component (CFC) type checking enabled.
SI-10 - Medium - CCI-002754 - V-237232 - SV-237232r641791_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-002754
Version
CF11-06-000223
Vuln IDs
  • V-237232
  • V-62537
Rule IDs
  • SV-237232r641791_rule
  • SV-77027
Invalid user input occurs when a user inserts data or characters into an application's data entry field and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. Invalid input can also occur within applications to ColdFusion components. The parameters can be input from users that are not properly type checked or from data computed within the application. When the data is not type checked, the receiving component may cause an error that is unhandled or throw an exception that puts the application server and/or hosted application into an unsecure posture. To limit invalid calls, ColdFusion component (CFC) type checking must be disabled.
Checks: C-40451r641789_chk

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If the "Disable CFC Type check" is checked, this is a finding.

Fix: F-40414r641790_fix

Navigate to the "Settings" page under the "Server Settings" menu. Uncheck "Disable CFC Type check" and select the "Submit Changes" button.

b
ColdFusion must enable Global Script Protection.
SI-10 - Medium - CCI-002754 - V-237233 - SV-237233r641794_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-002754
Version
CF11-06-000224
Vuln IDs
  • V-237233
  • V-62539
Rule IDs
  • SV-237233r641794_rule
  • SV-77029
Invalid user input occurs when a user inserts data or characters into an application's data entry field and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. Invalid inputs are also used for Cross-Site Scripting (XSS) attacks. This type of attack relies on the attacker being able to insert script code into an input field and having the script executed on the client machine. By enabling Global Script Protection, there is a very limited protection against certain Cross-Site Scripting attack vectors. It is important to understand that enabling this setting does not protect hosted applications from all possible Cross-Site Scripting attacks. When this setting is turned on, it uses a regular expression defined in the file neo-security.xml to replace input variables containing the following tags: object, embed, script, applet, and meta with Invalid Tag. This setting does not restrict any JavaScript strings that may be injected and executed, iframe tags, or any XSS obfuscation techniques.
Checks: C-40452r641792_chk

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If the "Enable Global Script Protection" is unchecked, this is a finding.

Fix: F-40415r641793_fix

Navigate to the "Settings" page under the "Server Settings" menu. Check "Enable Global Script Protection" and select the "Submit Changes" button.

b
ColdFusion must remove software components after updated versions have been installed.
SI-2 - Medium - CCI-002617 - V-237234 - SV-237234r641797_rule
RMF Control
SI-2
Severity
Medium
CCI
CCI-002617
Version
CF11-06-000225
Vuln IDs
  • V-237234
  • V-62541
Rule IDs
  • SV-237234r641797_rule
  • SV-77031
Installation of patches and updates is performed when there are errors or security vulnerabilities in the current release of the software. When previous versions of software components are not removed from the application server after updates have been installed, an attacker may use the older components to exploit the system. ColdFusion creates a backup directory for an update when installed. This backup directory allows the SA to uninstall the update if an error occurs or incompatibility is found with the hosted applications. Once the update is tested and found to work correctly, the backup directory must be removed so that the update cannot be uninstalled.
Checks: C-40453r641795_chk

Within the Administrator Console, navigate to the "Updates" page under the "Server Update" menu. Within the "Installed Updates" tab, locate the backup directory location for each update that is installed. On the server running the ColdFusion server, verify that the backup directories do not exist for any of the updates. If all updates have been tested/verified and any of the backup directories exist, this is a finding. Note: Do not remove the backup directory for an update until the update has been tested and verified that the ColdFusion server is operating correctly.

Fix: F-40416r641796_fix

Navigate to the "Updates" page under the "Server Update" menu within the Administrator Console. Within the "Installed Updates" tab, locate the backup directory location for any updates installed. On the server running the ColdFusion server, remove all backup directories for any updates installed. Note: Do not remove the backup directory for an update until the update has been tested and verified that the ColdFusion server is operating correctly.

a
ColdFusion must be set to automatically check for updates.
SI-2 - Low - CCI-002605 - V-237235 - SV-237235r641800_rule
RMF Control
SI-2
Severity
Low
CCI
CCI-002605
Version
CF11-06-000226
Vuln IDs
  • V-237235
  • V-62543
Rule IDs
  • SV-237235r641800_rule
  • SV-77033
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. To configure the software to discover that a new patch is available is important since administrators may be responsible for multiple servers running different applications and services, making it difficult for the administrator to constantly check for updates. Enabling the automatic check informs the administrator, allows him to investigate the patch and what is needed to apply the patch and schedule any outages that might be needed, thereby permitting the patch to be installed quickly and efficiently. Having "Automatically Check for Updates" checked causes ColdFusion to look for updates on every logon.
Checks: C-40454r641798_chk

Determine if the ColdFusion server has access to either the Adobe patch repository or an internally maintained patch repository. This may be determined by interviewing the administrator or by reviewing ColdFusion baseline documentation. If the ColdFusion server has access to a patch repository, the server must check for updates. To verify that the server is checking for updates, within the Administrator Console, navigate to the "Updates" page under the "Server Updates" menu. Select the "Settings" tab and verify that the "Automatically Check for Updates" is checked. If the ColdFusion server has access to either the Adobe patch repository or an internally maintained patch repository and "Automatically Check for Updates" is not checked, this is a finding. If the ColdFusion server does not have access to Adobe or an internally maintained patch repository, then a manual process must be documented to check for updates. The documented process must include the location and how often to check for updates. If the process is not documented or the documented process does not include location and frequency, this is a finding.

Fix: F-40417r641799_fix

If the ColdFusion server has access to a patch repository, navigate to the "Updates" page under the "Server Updates" menu. Select the "Settings" tab and check the "Automatically Check for Updates" setting and select the "Submit Changes" button. If the ColdFusion server does not have access to a patch repository, document the process to check for updates. The documented process must include location and how often.

a
ColdFusion must have notifications enabled when a server update is available.
SI-2 - Low - CCI-002605 - V-237236 - SV-237236r641803_rule
RMF Control
SI-2
Severity
Low
CCI
CCI-002605
Version
CF11-06-000227
Vuln IDs
  • V-237236
  • V-62545
Rule IDs
  • SV-237236r641803_rule
  • SV-77035
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. To configure the software to discover that a new patch is available is important since administrators may be responsible for multiple servers running different applications and services, making it difficult for the administrator to constantly check for updates. Enabling the automatic check informs the administrator, allows him to investigate the patch and what is needed to apply the patch and schedule any outages that might be needed, thereby permitting the patch to be installed quickly and efficiently. Having "Check for updates every" checked causes ColdFusion to look for updates every set number of days. Entering a list of email addresses to notify guarantees a notification is sent to the administrator.
Checks: C-40455r641801_chk

Determine if the ColdFusion server has access to either the Adobe patch repository or an internally maintained patch repository. This may be determined by interviewing the administrator or by reviewing ColdFusion baseline documentation. If the ColdFusion server has access to a patch repository, the server must notify administrators when updates are available. To verify that the server is notifying administrators, within the Administrator Console, navigate to the "Updates" page under the "Server Updates" menu. Select the "Settings" tab and verify that the "Check for updates every" is checked, that a positive value is entered for the "days" value and that at least one email address is entered for notification. If "Check for updates every" is not checked, the "days" value is empty or less than 1, or the "If updates are available, send email notification to" parameter is empty, this is a finding. If the ColdFusion server does not have access to a patch repository, then a documented notification process must be in place along with the administrator's enrollment in the Adobe automated patch notification service. To validate enrollment, a verification email or patch notification email can be used. If the administrators are not enrolled in the Adobe patch notification service or the process is not documented, this is a finding.

Fix: F-40418r641802_fix

If the ColdFusion server has access to a patch repository, navigate to the "Updates" page under the "Server Updates" menu. Select the "Settings" tab and check the "Check for updates every" setting, enter a value greater than 0 for the "days" setting, and enter email addresses for notification. Select the "Submit Changes" button to save the new settings. If the ColdFusion server does not have access to a patch repository, document the process to enroll into the Adobe patch notification service and enroll all administrators in the notification service.