Adobe ColdFusion Security Technical Implementation Guide

Version

APAS-CF-000190

Vuln IDs

V-279040

Rule IDs

SV-279040r1171341_rule

Application servers provide a wide range of features and services, many of which may not be necessary or secure for a production DOD environment. One such feature is the ColdFusion WebSocket Service, which supports real-time, bidirectional communication for applications such as dashboards, online gaming, social networking, and live data feeds. This service communicates over HTTP or HTTPS using a proxy or the built-in WebSocket server. When enabled, the WebSocket Service consumes system resources and may introduce security risks if not properly configured or if left unused. These risks include unauthorized access, input injection, session hijacking, and the ability to bypass traditional security controls such as firewalls and proxies. If the WebSocket service is not actively required by hosted applications, it should be disabled to free up system resources and reduce the overall attack surface. When used, the WebSocket service must be securely configured. Satisfies: SRG-APP-000141-AS-000095, SRG-APP-000172-AS-000120, SRG-APP-000435-AS-000163, SRG-APP-000442-AS-000259

Checks: C-83588r1171339_chk

Verify the ColdFusion WebSocket configuration. 1. From the Admin Console Landing Screen, navigate to Server Settings >> WebSocket. If the "websocket" package is not installed, this is Not Applicable. 2. If "Enable WebSocket Service" is checked: If "Use Proxy" is selected and the "Port" setting is checked, this is a finding. Non-SSL WebSocket is not permitted. 3. If "Use Built-in WebSocket Server" is selected and the "Port" setting is checked, this is a finding. Non-SSL WebSocket is not permitted. 4. If SSL Port is not checked, this is a finding. 5. Verify SSL Port is an approved port. If not, this is a finding. 6. If "Start Flash Policy Server" is checked, this is a finding. 7. If "Max Data Size" is over the required maximum size, this is a finding.

Fix: F-83493r1171340_fix

Configure ColdFusion WebSocket. 1. From the Admin Console Landing Screen, navigate to Server Settings >> WebSocket. 2. If "Use Proxy" is selected, uncheck "Port" to disable non-SSL WebSocket connections. Non-SSL WebSocket is not permitted. 3. If "Use Built-in WebSocket Server" is selected, uncheck "Port" to disable non-SSL WebSocket connections. Non-SSL WebSocket is not permitted. 4. Enable encryption by checking "SSL Port" and enter an approved port value. 5. Enter keystore and password. 6. Uncheck the "Start Flash Policy Server". 7. Set the "Max Data Size" to the default setting of 1024 or to the required maximum size for the hosted applications. 8. Select "Submit Changes".

b

ColdFusion must have Event Gateway Services disabled when not in use.

CM-7 - Medium - CCI-000381 - V-279041 - SV-279041r1171343_rule

RMF Control

CM-7

Severity

M

CCI

Version

APAS-CF-000195

Vuln IDs

V-279041

Rule IDs

SV-279041r1171343_rule

Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DOD system. Event Gateway Services are used to pass events from external sources to ColdFusion components that are specified. Since this gateway is accepting events from external sources, a listener must be present. When enabled, along with the listener, memory, queues, and processes are available for gateway processes. These resources can be used by an attacker and should be disabled if the feature is not being used for hosted applications.

Checks: C-83589r1170895_chk

Check Event Gateway Service. 1. From the Admin Console Landing Screen, navigate to Event Gateways >> Settings. If Event Gateway is not in use and "Enable ColdFusion Event Gateway Services" is checked, this is a finding.

Fix: F-83494r1171342_fix

Configure Event Gateway Service. 1. From the Admin Console Landing Screen, navigate to Event Gateways >> Settings. 2. Uncheck "Enable ColdFusion Event Gateway Services". 3. Select "Submit Changes".

b

ColdFusion must have Remote Development Services (RDS) disabled.

CM-7 - Medium - CCI-000381 - V-279042 - SV-279042r1171505_rule

RMF Control

CM-7

Severity

M

CCI

Version

APAS-CF-000200

Vuln IDs

V-279042

Rule IDs

SV-279042r1171505_rule

Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DOD system. RDS is used in a development environment to allow authenticated users access to the server using special features within code editors like Dreamweaver, HomeSite+, ColdFusion Studio, Eclipse, and VSCode to obtain information from the server. For example, developers can determine what data sources exist, query them, build code based on them, and more. RDS also enables access from within the editors to files on the server (even remotely) over HTTP, as an alternative to FTP. This feature is not meant for production environments.

Checks: C-83590r1171504_chk

Verify RDS is disabled. From the Admin Console Landing Screen, navigate to Security >> RDS. If "Enable RDS Service" is checked, this is a finding.

Fix: F-83495r1171345_fix

Disable RDS. 1. From the Admin Console Landing Screen, navigate to Security >> RDS. 2. Uncheck "Enable RDS Service". 3. Select "Submit Changes".

a

ColdFusion must have example services removed.

CM-7 - Low - CCI-000381 - V-279043 - SV-279043r1171348_rule

RMF Control

CM-7

Severity

L

CCI

Version

APAS-CF-000205

Vuln IDs

V-279043

Rule IDs

SV-279043r1171348_rule

ColdFusion is installed with sample data services, gateway services, collections, and mappings. These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issues. Allowing them to be available on a production system provides a gateway to an attacker to ColdFusion and to systems connected to ColdFusion. To correct this issue, sample code and services must be deleted.

Checks: C-83591r1170901_chk

Verify Sample Services have been removed. 1. From the Admin Console Landing Screen, navigate to Data & Services. In the Data Sources tab, if the data sources cfartgallery, cfbookclub, cfcodeexplorer, or cfdocexamples exist, this is a finding. In the ColdFusion Collections tab, if the bookclub collection exists, this is a finding. In the GraphQL tab, if the service "myservice" with the path " https://apollo-fullstack-tutorial.herokuapp.com/graphql" exists, this is a finding. 2. Navigate to Event Gateways. In the Gateway Instances tab, if the Gateway Instance SMS Menu App exists, this is a finding.

Fix: F-83496r1171347_fix

Remove Sample Services. 1. From the Admin Console Landing Screen, navigate to Data & Services. a. In the Data Sources tab, delete the data sources cfartgallery, cfbookclub, cfcodeexplorer, and cfdocexamples. b. In the ColdFusion Collections tab, delete the bookclub collection. c. In the GraphQL tab, delete the service "myservice" with the path "https://apollo-fullstack-tutorial.herokuapp.com/graphql". 2. Navigate to Event Gateways. a. In the Gateway Instances tab, delete the Gateway Instance SMS Menu App.

b

ColdFusion must disable all remote and client-side debugging features, including Remote Inspection, Robust Exception Information, AJAX Debug Log Window, and Line Debugging.

CM-7 - Medium - CCI-000381 - V-279044 - SV-279044r1171508_rule

RMF Control

CM-7

Severity

M

CCI

Version

APAS-CF-000220

Vuln IDs

V-279044

Rule IDs

SV-279044r1171508_rule

Debugging and inspection features in application servers, such as ColdFusion's Remote Inspection, Robust Exception Information, AJAX Debug Log Window, and Line Debugging, are valuable tools during development but pose significant security risks if left enabled in production environments. These features can expose detailed error messages, internal server logic, application structure, variable contents, and system information that could be leveraged by attackers to gain unauthorized access, identify exploitable vulnerabilities, or conduct reconnaissance. Allowing remote inspection or detailed debugging output in a production environment undermines the principle of least privilege and increases the risk of unauthorized disclosure of sensitive information. This violates secure coding and deployment best practices. Disabling these features mitigates the risk of information leakage. Satisfies: SRG-APP-000141-AS-000095, SRG-APP-000266-AS-000169

Checks: C-83592r1171506_chk

Validate Debugging and Logging settings. From the Admin Console Landing Screen, navigate to Debugging & Logging. In the "Remote Inspection Settings" tab, if "Allow Remote Inspection" is checked, this is a finding. In the "Debug Output Settings" tab, if "Enable Robust Exception Information" is checked, this is a finding. If "Enable AJAX Debug Log Window" is checked, this is a finding. In the "Debugger Settings" tab, if "Allow Line Debugging" is checked, this is a finding.

Fix: F-83497r1171507_fix

Configure Debugging and Logging settings. 1. From the Admin Console Landing Screen, navigate to Debugging & Logging. 2. In the "Remote Inspection Settings" tab, ensure "Allow Remote Inspection" is unchecked. 3. Select "Submit Changes". 4. In the "Debug Output Settings" tab, ensure "Enable Robust Exception Information" is unchecked. 5. Ensure "Enable AJAX Debug Log Window" is unchecked. 6. Select "Submit Changes". 7. In the Debugger Settings tab, ensure "Allow Line Debugging" is unchecked. 8. Select "Submit Changes".

b

ColdFusion must have any unused mappings removed.

CM-7 - Medium - CCI-000381 - V-279045 - SV-279045r1171287_rule

RMF Control

CM-7

Severity

M

CCI

Version

APAS-CF-000235

Vuln IDs

V-279045

Rule IDs

SV-279045r1171287_rule

ColdFusion mappings define virtual paths to physical directories that can be accessed by ColdFusion applications. If unused or unnecessary mappings are left configured, they can present an unmonitored and potentially exploitable entry point for attackers. These mappings may inadvertently expose internal files, application code, or sensitive resources that are not intended for public or application-level access. Attackers can leverage such mappings to bypass access controls, perform directory traversal attacks, or gain insight into the server's file structure. Removing unused mappings reduces the attack surface and eliminates access to unnecessary or insecure directories, supporting the principle of least functionality.

Checks: C-83593r1170907_chk

Verify Mappings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Mappings. 2. For each of the mappings defined, ask the administrator if the mapping is being used by any hosted applications. If any of the mappings are not being used by the hosted applications, this is a finding.

Fix: F-83498r1171286_fix

Delete unused mappings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Mappings. 2. Delete any mapping that is not being used by the hosted applications.

a

ColdFusion must have Central Configuration Server (CCS) disabled.

CM-7 - Low - CCI-000381 - V-279046 - SV-279046r1171510_rule

RMF Control

CM-7

Severity

L

CCI

Version

APAS-CF-000240

Vuln IDs

V-279046

Rule IDs

SV-279046r1171510_rule

The ColdFusion CCS is a feature used to synchronize configuration settings across multiple ColdFusion instances. Leaving CCS enabled in a production environment especially when it is not actively used introduces unnecessary risk. If improperly secured or misconfigured, CCS can allow unauthorized access to critical configuration settings, leading to configuration drift, exposure of sensitive information, or even system compromise across multiple instances. Disabling CCS when not explicitly required helps reduce the application server's attack surface, ensures tighter control over system configurations, and limits the potential vectors for lateral movement within the environment.

Checks: C-83594r1171509_chk

Validate CCS is disabled. From the Admin Console Landing Screen, navigate to Server Settings >> CCS. If the "CCS Enabled" is "Enabled", this is a finding.

Fix: F-83499r1170911_fix

Disable CCS. 1. From the Admin Console Landing Screen, navigate to Server Settings >> CCS. 2. Select "Disabled" on "CCS Enabled" setting. 3. Select "Submit Changes".

a

ColdFusion must have only approved Tomcat connectors enabled.

CM-7 - Low - CCI-000381 - V-279047 - SV-279047r1171513_rule

RMF Control

CM-7

Severity

L

CCI

Version

APAS-CF-000250

Vuln IDs

V-279047

Rule IDs

SV-279047r1171513_rule

Tomcat connectors define how ColdFusion communicates with clients and other services, typically over HTTP, HTTPS, or AJP protocols. Enabling unnecessary or unapproved connectors increases the attack surface and may expose the server to vulnerabilities associated with those protocols. To minimize risk, only approved and secure Tomcat connectors should be enabled in ColdFusion. All others must be disabled or removed from the configuration. This reduces the number of potential entry points for an attacker and helps enforce the principle of least functionality.

Checks: C-83595r1171511_chk

Review SSP for list of approved connectors and associated TCP/IP ports. Verify only approved connectors are present. 1. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Open the server.xml file in a text editor. Locate the "Connector" tags that are not commented out. 3. Verify all connectors and their associated network ports are approved in the system security plan (SSP). If connectors are found but are not approved in the SSP, this is a finding.

Fix: F-83500r1171512_fix

1. Obtain information system security officer (ISSO) approvals for the configured connectors and document in the SSP. 2. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 3. Create a backup of this file. 4. Edit the file and remove any unapproved connectors by deleting the "Connector" tag or using XML syntax to comment out the configuration. XML comment syntax starts with

a

ColdFusion must have Tomcat configured with deployXML disabled.

CM-7 - Low - CCI-000381 - V-279048 - SV-279048r1171516_rule

RMF Control

CM-7

Severity

L

CCI

Version

APAS-CF-000255

Vuln IDs

V-279048

Rule IDs

SV-279048r1171516_rule

The deployXML setting in Tomcat controls whether the server will automatically deploy and process context.xml files found within web application directories. When enabled, this feature allows web applications to define their own context-level configurations, which may override secure global settings or introduce insecure configurations without administrator knowledge or oversight. Allowing applications to self-deploy XML configuration files increases the risk of misconfiguration, privilege escalation, or malicious reconfiguration. Disabling deployXML enforces centralized control over context configurations, reduces the risk of insecure deployments, and aligns with the principle of least functionality.

Checks: C-83596r1171514_chk

DeployXML Configuration in server.xml. 1. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Review the server.xml configuration by opening the server.xml file in a text editor. 3. Search for all <Host> elements. 4. Check the deployXML attribute. Inspect each <Host> element for the deployXML setting. If any <Host> element has "deployXML="true"", this is a finding.

Fix: F-83501r1171515_fix

Disable deployXML in server.xml. 1. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Before making any changes, create a backup copy of the file. Windows Example: copy server.xml server.xml.bak Linux Example: cp server.xml server.xml.bak 3. Edit the configuration by opening server.xml in a text editor with administrative privileges. 4. Locate all <Host> elements with: deployXML="true" 5. Change all attributes to: deployXML="false" 6. Restart ColdFusion to apply the configuration changes. 7. Confirm that ColdFusion services started successfully. 8. Reopen server.xml to confirm that deployXML="false" is set for all <Host> elements.

a

ColdFusion must be configured with autoDeploy disabled.

CM-7 - Low - CCI-000381 - V-279049 - SV-279049r1171519_rule

RMF Control

CM-7

Severity

L

CCI

Version

APAS-CF-000260

Vuln IDs

V-279049

Rule IDs

SV-279049r1171519_rule

ColdFusion uses Tomcat for HTTP and AJP connectivity. Tomcat allows auto-deployment of applications while Tomcat is running. This can allow untested or malicious applications to be automatically loaded into production. AutoDeploy must be disabled in production. This requirement is NA for test and development systems on nonproduction networks.

Checks: C-83597r1171517_chk

Review the autoDeploy configuration in server.xml. 1. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Review the server.xml configuration by opening the server.xml file in a text editor. 3. Search for all <Host> elements. 4. Check the autoDeploy Attribute. Inspect each <Host> element for the autoDeploy setting. If any <Host> element has "autoDeploy="true"", this is a finding.

Fix: F-83502r1171518_fix

Disable autoDeploy in server.xml. 1. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Before making any changes, create a backup copy of the file. Windows Example: copy server.xml server.xml.bak Linux Example: cp server.xml server.xml.bak 3. Edit the configuration by opening server.xml in a text editor with administrative privileges. 4. Locate all <Host> elements with: autoDeploy="true" 5. Change all attributes to: autoDeploy="false" 6. Restart ColdFusion to apply the configuration changes. 7. Confirm that ColdFusion services started successfully. 8. Reopen server.xml to confirm that autoDeploy="false" is set for all <Host> elements.

b

ColdFusion must be configured with secure and approved server settings to enforce application hardening, input validation, error handling, and protection against common web vulnerabilities.

CM-7 - Medium - CCI-000381 - V-279050 - SV-279050r1171521_rule

RMF Control

CM-7

Severity

M

CCI

Version

APAS-CF-000265

Vuln IDs

V-279050

Rule IDs

SV-279050r1171521_rule

ColdFusion Server Settings must be securely configured to enforce application hardening, prevent misuse of functionality, and protect against common web application vulnerabilities. These settings control critical behaviors, including request timeouts, file inclusion, POST limits, script protection, error handling, and access to internal Java components. If these settings are not properly configured according to documented security guidelines and performance parameters, ColdFusion may be exposed to a variety of threats. Improper request throttling or POST limits can lead to denial-of-service conditions, while excessive output buffer sizes and unfiltered file uploads can result in resource exhaustion or exploitation of the file system. Enabling features such as debug output, remote inspection, or detailed exception information may disclose internal logic, configuration details, or sensitive data to unauthorized users. Allowing overly permissive file inclusion or attribute handling introduces the risk of injection attacks or unintended code execution. Using default, insecure, or unnecessary feature violates secure configuration principles and increases the application's attack surface. Ensuring ColdFusion is configured with approved and secure server settings helps maintain proper access control, input validation, error handling, and system resilience, ultimately reducing the risk of compromise or misuse. Satisfies: SRG-APP-000141-AS-000095, SRG-APP-000211-AS-000146, SRG-APP-000223-AS-000150, SRG-APP-000266-AS-000168, SRG-APP-000380-AS-000088, SRG-APP-000435-AS-000163, SRG-APP-000441-AS-000258, SRG-APP-000447-AS-000273, SRG-APP-000516-AS-000237

Checks: C-83598r1171520_chk

Verify Server Settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. If "Timeout Requests after seconds" is not set to "5" or is not set in accordance with the documented tuning parameters, this is a finding. If "Disable access to internal ColdFusion Java components" is unchecked, this is a finding. If "Allow REST Discovery" is checked, this is a finding. 2. Review the "Allow Extra Attributes in AttributeCollection" setting. If the nonstandard attributes are allowed to be passed to ColdFusion tags, this is a finding. If "Allowed file extensions for CFInclude tag" is empty, this is not a finding. If "Allowed file extensions for CFInclude tag" contains the wildcard string "*.*" or if the list of file extensions is not the list approved by the ISSO, this is a finding. If "Disable creation of unnamed applications" is unchecked, this is a finding. If "Use UUID for cftoken" is not checked, this is a finding. If "Allow adding application variables to Servlet Context" is checked, this is a finding. If "Check configuration files for changes every" is checked, this is a finding. If "Maximum number of POST request parameters" is not set to "50" or is not set in accordance with documented tuning parameters, this is a finding. If the "Maximum Output Buffer Size" is set to a number larger than 1024, this is a finding. If the "Max Unzip Ratio" is set to a number larger than 100, this is a finding. If the "Request Throttle Threshold" is set to a number larger than 4, this is a finding. If the "Disable CFC Type check" is checked, this is a finding. If the "Prefix serialized JSON with" is unchecked, this is a finding. If the "Enable Global Script Protection" is unchecked, this is a finding. If the "Default ScriptSrc Directory" is set to /cf_scripts/scripts/", this is a finding. 3. Review the "Use UUID for cftoken" setting. If the cftoken is not configured to use UUID, this is a finding. 4. Review the "Prefix serialized JSON with" setting. If a prefix is not configured for JSON, this is a finding. 5. Review the "Blocked file extensions for CFFile uploads" setting. If no file extensions are set to be blocked, this is a finding. 6. Validate that the "Missing Template Handler" setting is not blank and that the template specified is a valid. If the "Missing Template Handler" parameter is blank this is a finding. 7. Validate that the template exists. The path and file given are relevant to the web servers' document root directory and not the OS root directory. (Example: If the web servers' document root is /opt/webserver/wwwroot and the "Missing Template Handler" is set to /CFIDE/administrator/templates/missing_template_error.cfm, the full path to the template file is /opt/webserver/wwwroot/CFIDE/administrator/templates/missing_template_error.cfm.) If the "Missing Template Handler" setting is not a valid file, this is a finding. 8. Validate that the "Site-wide Error Handler" setting is not blank and that the template specified is valid. If the "Site-wide Error Handler" parameter is blank, this is a finding. 9. Validate that the template exists. The path and file given are relevant to the web servers' document root directory and not the OS root directory. (Example: If the web server's document root is /opt/webserver/wwwroot and the "Site-wide Error Handler" is set to /CFIDE/administrator/templates/secure_profile_error.cfm, the full path to the template file is /opt/webserver/wwwroot/CFIDE/administrator/templates/secure_profile_error.cfm.) If the "Site-wide Error Handler" setting is not a valid file, this is a finding.

Fix: F-83503r1170923_fix

Configure Server Settings. 1. Set "Timeout Requests after seconds" to "5" or adjust according to documented tuning parameters. 2. Check the box to disable access to internal ColdFusion Java components. 3. Uncheck "Allow REST Discovery" if it is currently checked. 4. Review and disallow nonstandard attributes from being passed to ColdFusion tags. 5. Ensure "Allowed file extensions for CFInclude tag" is not empty and does not contain "." unless approved by the information system security officer (ISSO). 6. Check the box to disable creation of unnamed applications. 7. Check the box to use UUID for cftoken. 8. Uncheck "Allow adding application variables to Servlet Context". 9. Uncheck "Check configuration files for changes every". 10. Set "Maximum number of POST request parameters" to "50" or adjust according to documented tuning parameters. 11. Set "Maximum Output Buffer Size" to "1024" or lower. 12. Set "Max Unzip Ratio" to "100" or lower. 13. Set "Request Throttle Threshold" to "4" or lower. 14. Uncheck "Disable CFC Type check". 15. Check the box to prefix serialized JSON. 16. Check the box to enable Global Script Protection. 17. Set "Default ScriptSrc Directory" to a directory other than "/cf_scripts/scripts/". 18. Ensure that "Use UUID for cftoken" is configured to use UUID. 19. Ensure that a prefix is configured for JSON serialization. 20. Ensure that file extensions are appropriately blocked as per policy. 21. Ensure that "Missing Template Handler" is not blank and specifies a valid template path. 22. Ensure that "Site-wide Error Handler" is not blank and specifies a valid template path. 23. Select "Submit Changes".

a

ColdFusion must have the sample data directories removed.

CM-7 - Low - CCI-000381 - V-279051 - SV-279051r1171473_rule

RMF Control

CM-7

Severity

L

CCI

Version

APAS-CF-000275

Vuln IDs

V-279051

Rule IDs

SV-279051r1171473_rule

ColdFusion is installed with directories that contain sample code, data, and services. These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issues. Allowing them to be available on a production system provides a gateway to an attacker to ColdFusion and to those systems connected to ColdFusion. To alleviate this issue, sample code, data, and services must be deleted.

Checks: C-83599r1171472_chk

1. Locate each directory of the ColdFusion instances and observe their subdirectories. If the "db" subdirectory exists, this is a finding. If the "cfx" subdirectory exists, this is a finding. 2. From the Admin Console Landing Screen, navigate to Package Manager >> Packages. If the "gateway" subdirectory exists and the "eventgateways" package is not listed as installed, this is a finding. If the "gql" subdirectory exists and the "graphqlclient" package is not listed as installed, this is a finding.

Fix: F-83504r1170926_fix

Delete all sample directories not referenced by an installed package in each ColdFusion instance directory.

a

ColdFusion must have the CFSTAT feature disabled when not in use.

CM-7 - Low - CCI-000381 - V-279052 - SV-279052r1171523_rule

RMF Control

CM-7

Severity

L

CCI

Version

APAS-CF-000285

Vuln IDs

V-279052

Rule IDs

SV-279052r1171523_rule

Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DOD system. ColdFusion offers the CFSTAT command-line utility to retrieve real-time performance metrics for the system. This feature uses a socket connection to obtain the metrics which can also be used by an attacker to observe privileged information about the system and must be disabled if not in use.

Checks: C-83600r1171522_chk

Verify the CFSTAT feature. From the Admin Console Landing Screen, navigate to Debug & Logging >> Debug Output Settings. If CFSTAT is not in use and "Enable CFSTAT" is checked, this is a finding.

Fix: F-83505r1171361_fix

Configure the CFSTAT feature. 1. From the Admin Console Landing Screen, navigate to Debug & Logging >> Debug Output Settings. 2. Uncheck "Enable CFSTAT". 3. Select "Submit Changes".

b

ColdFusion must disable the In-Memory File System.

CM-7 - Medium - CCI-000381 - V-279053 - SV-279053r1171525_rule

RMF Control

CM-7

Severity

M

CCI

Version

APAS-CF-000290

Vuln IDs

V-279053

Rule IDs

SV-279053r1171525_rule

Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DOD system. ColdFusion offers an in-memory file system. This feature can be used to have dynamic code execute quickly which in turns enables an application to execute quicker. This feature can also be used by an attacker to execute dynamic code that is erased and unrecoverable on system reboot making forensic analysis impossible.

Checks: C-83601r1171524_chk

Verify the In-Memory File System setting. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. If hosted applications are using the in-memory file system, this is not a finding. If "Enable In-Memory File System" is checked, this is a finding.

Fix: F-83506r1171364_fix

Configure the In-Memory File System setting. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. 2. Uncheck "Enable In-Memory File System". 3. Select "Submit Changes".

b

ColdFusion must restrict unauthorized remote access to the ColdFusion Administrator Console and ensure all ports used are approved and properly secured.

CM-7 - Medium - CCI-000382 - V-279054 - SV-279054r1171443_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000382

Version

APAS-CF-000300

Vuln IDs

V-279054

Rule IDs

SV-279054r1171443_rule

Some networking protocols may not meet organizational security requirements to protect data and components. ColdFusion may host a number of various features, such as the Administrator Console, data sources, and various services. These features all run on TCPIP ports and protocols. This creates the potential for the vendor or ColdFusion administrator to use port numbers or protocols that have been deemed unusable by the organization. When ports or protocols are used that are not secure or authorized by the organization, the ColdFusion feature must be reconfigured to use an authorized port and protocol. For a list of approved ports and protocols, reference the DOD ports and protocols web site at https://powhatan.iiie.disa.mil/ports/cal.html.

Checks: C-83602r1171442_chk

Verify that remote access to the ColdFusion Administrator Console is appropriately restricted and that all configured ports, including WebSocket configurations, comply with approved organizational policies. 1. Validate Access Scope to the Administrator Console. 2. Identify whether the ColdFusion Administrator Console is accessible via any IP address other than localhost. 3. If remote (nonlocalhost) access is possible, confirm whether the server is designated for remote administration. If remote access is enabled on a server intended for local administration only, this is a finding. 4. Confirm Administrator Console Port Compliance. Access the ColdFusion Administrator Console in a web browser. If the URL specifies a port number, verify the port is approved per organizational policy. If an unapproved port is used, this is a finding. 5. Review Data & Services Connection Ports. From the Admin Console Landing Screen, navigate to Data & Services. 6. For each tab, review port configurations for all connections and services. If any service is configured to use a nonapproved port, this is a finding.

Fix: F-83507r1170935_fix

Restrict unauthorized remote access to the ColdFusion Administrator Console and ensure all ports used, including WebSocket configurations, are approved and properly secured. If the ColdFusion server is to be administered locally only: 1. Locate the server.xml file for ColdFusion. Linux: <ColdFusion Install Directory>/runtime/conf/server.xml Windows: <ColdFusion Install Directory>\runtime\conf\server.xml 2. Create a backup copy of server.xml before making changes. 3. Edit the file and update all <Connector> tags for HTTP and HTTPS to include: address="127.0.0.1" (This restricts access to the local server only.) 4. Restart ColdFusion to apply the changes. 5. Verify that the ColdFusion Administrator Console is accessible only from the local server and not from any external IP addresses. 6. If local access is confirmed, remove the backup file to avoid configuration confusion. 7. For any "Data & Services" configurations using unapproved ports: a. Reconfigure all affected services or data connections to use approved ports in accordance with organizational policy. b. Save changes and restart services.

c

ColdFusion must be using an enterprise solution for authentication.

IA-2 - High - CCI-000765 - V-279055 - SV-279055r1171527_rule

RMF Control

IA-2

Severity

H

CCI

CCI-000765

Version

APAS-CF-000310

Vuln IDs

V-279055

Rule IDs

SV-279055r1171527_rule

If ColdFusion is not integrated with an enterprise authentication solution, the system may rely on unmanaged local accounts that are difficult to monitor, audit, and control. This can lead to inconsistent password policies, outdated or orphaned credentials, and a lack of centralized visibility over user access. This STIG standard requires using LDAP as the enterprise authentication mechanism. LDAP integration ensures that authentication is managed through a centralized directory, allowing for strong password enforcement, account lifecycle management, role-based access control, and consolidated audit logging. Without LDAP integration, users may circumvent enterprise identity governance policies, increasing the risk of unauthorized access and administrative oversight gaps. Enterprise authentication also supports incident response and forensic analysis by enabling consistent tracking of user activities across systems. Relying on ColdFusion's internal authentication alone limits these capabilities and weakens the overall security posture. Integrating ColdFusion with an LDAP-based enterprise authentication service ensures alignment with DOD security standards, improves identity management, and reduces the risk of account compromise or privilege escalation. Satisfies: SRG-APP-000149-AS-000102, SRG-APP-000118-AS-000078, SRG-APP-000120-AS-000080, SRG-APP-000133-AS-000092, SRG-APP-000148-AS-000101, SRG-APP-000391-AS-000239, SRG-APP-000392-AS-000240, SRG-APP-000402-AS-000247, SRG-APP-000403-AS-000248, SRG-APP-000404-AS-000249, SRG-APP-000405-AS-000250, SRG-APP-000495-AS-000220, SRG-APP-000499-AS-000224, SRG-APP-000506-AS-000231, SRG-APP-000163-AS-000111, SRG-APP-000705-AS-000110

Checks: C-83603r1171526_chk

Verify LDAP is in use. From the Admin Console Landing Screen, navigate to Security >> Administrator. If "External Authentication" is set to "NONE", this is a finding.

Fix: F-83508r1170938_fix

Configure LDAP. 1. From the Admin Console Landing Screen, navigate to Security >> Administrator >> External Authentication" tab. 2. Configure LDAP: - Select "LDAP" option. - Click "Edit LDAP Configuration". - Enter LDAP Details. - Click "SAVE". 3. If connection is verified, click "Submit Changes".

b

Web services using Simple Object Access Protocol (SOAP) to access sensitive data must be secured with WS-Security.

IA-2 - Medium - CCI-001941 - V-279056 - SV-279056r1171606_rule

RMF Control

IA-2

Severity

M

CCI

CCI-001941

Version

APAS-CF-000325

Vuln IDs

V-279056

Rule IDs

SV-279056r1171606_rule

Application servers may provide a web service capability that could be leveraged to allow remote access to sensitive application data. Many web services use SOAP, which in turn uses XML and HTTP as a transport. Natively, SOAP does not provide security protections. Therefore, ColdFusion must provide security extensions to enhance SOAP capabilities to ensure that secure authentication mechanisms are employed to protect sensitive data. The ws-security suite is a widely used and acceptable SOAP security extension. ColdFusion offers SOAP capabilities but does not offer any type of security for these services. To extend the security of the SOAP protocol, an administrator must install the ws-security suite to enhance SOAP through Java Web Services and configure the ws-security features within the new object. This new object then becomes the wrapper for the SOAP communication, securing the sensitive data.

Checks: C-83604r1171474_chk

Verify that web services using the SOAP protocol to access sensitive data are secured with WS-Security. 1. Determine Web Services Usage by interviewing the system administrator (SA), or reviewing relevant documentation, including: - Hosted application source code. - Application design documentation. - Published web services design documentation. - ColdFusion baseline documentation. 2. Evaluate Applicability. If no web services are published, this requirement is not a finding. If web services are published and the SOAP protocol is not used, this is not a finding. If SOAP is used and the data accessed is not sensitive, this requirement is not a finding. 3. Verify Security Controls. If web services are published using SOAP to access sensitive data: a. Confirm that WS-Security is implemented to provide secure authentication and protect the data. b. This may be verified by interviewing the administrator or reviewing the documentation sources listed above. If web services are published using SOAP to access sensitive data and WS-Security is not implemented, this is a finding.

Fix: F-83509r1170941_fix

Configure web services using the SOAP protocol to access sensitive data. 1. Install and configure the WS-Security suite to secure access to the sensitive data. 2. Ensure the configuration provides: - Authentication of service consumers. - Message integrity (e.g., via XML signatures). - Confidentiality (e.g., via encryption). 3. Update application and service documentation to reflect the WS-Security implementation.

b

ColdFusion must store only encrypted representations of passwords.

IA-5 - Medium - CCI-000196 - V-279057 - SV-279057r1171529_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000196

Version

APAS-CF-000335

Vuln IDs

V-279057

Rule IDs

SV-279057r1171529_rule

Applications must enforce password encryption when storing passwords. Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. Application servers provide either a local user store or they integrate with enterprise user stores like LDAP. When ColdFusion is responsible for creating or storing passwords, ColdFusion must enforce the storage of encrypted representations of passwords.

Checks: C-83605r1171528_chk

Verify Proxy Settings. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. If a "Proxy Host" is provided with a "Proxy Username" and "Proxy Password", this is a finding.

Fix: F-83510r1170944_fix

Configure Proxy Settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. 2. Clear the "Proxy Host", Proxy UserName", and "Proxy Password" fields. 3. Select "Submit Changes".

b

ColdFusion must transmit only encrypted representations of passwords to NoSQL data sources.

IA-5 - Medium - CCI-000197 - V-279058 - SV-279058r1171531_rule

RMF Control

IA-5

Severity

M

CCI

Version

APAS-CF-000345

Vuln IDs

V-279058

Rule IDs

SV-279058r1171531_rule

When data is transmitted between ColdFusion and the datasources without encryption, it is vulnerable to interception and unauthorized access. This can lead to the exposure of sensitive information, including personal data, authentication credentials, and other confidential information. By requiring each of the data sources to use encryption for data transmission, ColdFusion ensures that the credentials and data are protected from eavesdropping and tampering. This practice helps maintain the confidentiality and integrity of the data, thereby enhancing the overall security of the server and the applications it hosts. Regularly verifying and enforcing using encryption for all datasource connections is essential for maintaining a secure server environment.

Checks: C-83606r1171369_chk

1. From the Admin Console Landing Screen, navigate to Data & Services >> NoSQL Data Sources. 2. For each "Connected NoSQL Data Source" configured, examine the settings and verify if encryption is enabled and properly configured for each data source connection. If any NoSQL data source is found without encryption enabled, this is a finding. If any NoSQL data source does not have "Enable SSL " checked, this is a finding.

Fix: F-83511r1171530_fix

1. From the Admin Console Landing Screen, navigate to Data & Services >> NoSQL Data Sources. 2. Make the necessary changes to the data source to use encryption. 3. Check " Enable SSL" checkbox. 4. Select "Submit".

b

ColdFusion must only transmit encrypted representations of passwords to the Solr Server.

IA-5 - Medium - CCI-000197 - V-279059 - SV-279059r1171533_rule

RMF Control

IA-5

Severity

M

CCI

Version

APAS-CF-000350

Vuln IDs

V-279059

Rule IDs

SV-279059r1171533_rule

Solr is an open-source search platform used for indexing and searching data. When data is transmitted between ColdFusion and the Solr Server without encryption, it is vulnerable to interception and unauthorized access. This can lead to the exposure of sensitive information, including search queries, indexing data, and other confidential information. By requiring the Solr Server connection to use encryption for data transmission, the ColdFusion server ensures that the data is protected from eavesdropping and tampering. This practice helps maintain the confidentiality and integrity of the data, thereby enhancing the overall security of the server and the applications it hosts. Regularly verifying and enforcing using encryption for all Solr Server connections is essential for maintaining a secure server environment.

Checks: C-83607r1171532_chk

If the Solr package is not installed, this is Not Applicable. Verify encryption to the Solr Server. From the Admin Console Landing Screen, navigate to Data & Services >> Solr Server. If the Solr Host Name is "localhost", this is not a finding. If the "Use HTTPS connection" setting is unchecked or "Solr Admin HTTPS Port" is zero, this is a finding.

Fix: F-83512r1171372_fix

If the Solr package is not installed, this finding is Not Applicable. Configure encryption to the Solr Server. 1. From the Admin Console Landing Screen, navigate to Data & Services >> Solr Server. 2. Check "Use HTTPS connection" checkbox. 3. Enter the Solr Admin HTTPS Port. 4. Select "Submit Changes".

b

ColdFusion must transmit only encrypted representations of passwords to the mail server.

IA-5 - Medium - CCI-000197 - V-279060 - SV-279060r1171535_rule

RMF Control

IA-5

Severity

M

CCI

Version

APAS-CF-000355

Vuln IDs

V-279060

Rule IDs

SV-279060r1171535_rule

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. ColdFusion may use username/password to connect to a mail server. When this authentication method is used, it is important that the credentials be protected when transmitted by being encrypted. While TLS encryption is the preferred method by DOD, SSL can be used when the mail server does not offer any other method of encryption. Satisfies: SRG-APP-000172-AS-000120, SRG-APP-000435-AS-000163, SRG-APP-000516-AS-000237

Checks: C-83608r1171534_chk

If the "mail" package is not installed, this is Not Applicable. Verify Mail Service Configurations. From the Admin Console Landing Screen, navigate to Server Settings >> Mail. If no mail server is configured, this requirement is not a finding. If a username and password are required for authentication and "Enable TLS connection to mail server" is unchecked and "Enable SSL socket connects to mail server" is unchecked, this is a finding. If "Spool mail messages for delivery to" is unchecked, this is a finding. If "Connection Timeout (in seconds)" is set to greater than 15 seconds, this is a finding. If "Log all mail messages sent by ColdFusion" is not checked, this is a finding. If the default and recommended setting of "Warning" is not selected for error log severity, this is a finding.

Fix: F-83513r1171375_fix

If the "mail" package is not installed, this is Not Applicable. Configure Mail Service. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Mail. 2. Enable SSL/TLS: - If a username and password are required for authentication, check "Enable SSL socket connections to mail server" setting. - Check "Enable TLS connection to mail server" setting. 3. Mail Spool Settings: - Uncheck "Spool mail messages for delivery to" setting. 4. Set the "Connection Timeout(in seconds)" setting to 15 seconds or fewer. 5. Mail Logging Settings: - Check "Log all mail messages sent by ColdFusion setting. - Select "Warning" for Error Log Severity. 6. Select "Submit Changes" to save the new settings.

b

ColdFusion must only transmit encrypted representations of passwords to the caching server.

IA-5 - Medium - CCI-000197 - V-279061 - SV-279061r1171537_rule

RMF Control

IA-5

Severity

M

CCI

Version

APAS-CF-000360

Vuln IDs

V-279061

Rule IDs

SV-279061r1171537_rule

Redis is an in-memory data structure store used as a database, cache, and message broker. When data is transmitted between ColdFusion and the Redis caching server without encryption, it is vulnerable to interception and unauthorized access. This can lead to the exposure of sensitive information, including cached data, session information, and other confidential data. By requiring the Redis caching server connection to use encryption for data transmission, ColdFusion ensures that the credentials and data are protected from eavesdropping and tampering. This practice helps maintain the confidentiality and integrity of the data, thereby enhancing the overall security of the server and the applications it hosts. Regularly verifying and enforcing with encryption for all Redis caching server connections is essential for maintaining a secure server environment.

Checks: C-83609r1171536_chk

Verify Redis Cache encryption. From the Admin Console Landing Screen, navigate to Server Settings >> Caching. If the "Redis Server" setting is "localhost" or blank, this requirement is not a finding. If "Password" is blank, this is not a finding. If "Is SSL Enabled" is unchecked, this is a finding.

Fix: F-83514r1170956_fix

Configure Redis Cache encryption. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Caching. 2. Enable encryption by checking "Is SSL Enabled". 3. Select "Submit Changes".

b

JVM Arguments must be configured for encryption.

IA-5 - Medium - CCI-000197 - V-279062 - SV-279062r1171539_rule

RMF Control

IA-5

Severity

M

CCI

Version

APAS-CF-000375

Vuln IDs

V-279062

Rule IDs

SV-279062r1171539_rule

Ensuring that ColdFusion transmits only encrypted representations of passwords to the proxy server is critical for maintaining the security and integrity of sensitive information. When passwords are transmitted in plain text, they are vulnerable to interception by unauthorized parties, which can lead to unauthorized access and potential data breaches. Encrypting passwords during transmission helps protect against these risks by ensuring that even if the data is intercepted, it cannot be easily deciphered and misused. By implementing encryption for password transmission to the proxy server, ColdFusion can safeguard user credentials and maintain the confidentiality and integrity of the data being transmitted. This practice aligns with best security practices and helps prevent unauthorized access to sensitive information.

Checks: C-83610r1171538_chk

Verify JVM Arguments are configured for encryption. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM. If any JVM Arguments contain the setting "Dhttp.proxyHost", this is a finding.

Fix: F-83515r1171378_fix

Configure JVM Arguments for encryption. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM. 2. In "JVM Arguments", enable encryption by changing any JVM Argument starting with "Dhttp.proxy" to "-Dhttps.proxy". 3. Select "Submit Changes". 4. Restart ColdFusion for the changes take effect.

b

ColdFusion must be configured to use only DOD-approved keystores and truststores containing certificates issued by a DOD Public Key Infrastructure (PKI) Certificate Authority (CA), and all keystore and truststore files must be protected by file system permissions that prevent unauthorized access or modification.

IA-5 - Medium - CCI-000186 - V-279063 - SV-279063r1171542_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000186

Version

APAS-CF-000390

Vuln IDs

V-279063

Rule IDs

SV-279063r1171542_rule

Keystores and truststores are critical components in securing communication between applications and services. If ColdFusion is configured to use certificates that are not issued by a DOD-approved Certificate Authority (CA), the authenticity and trustworthiness of encrypted communications cannot be guaranteed. Accepting certificates from untrusted or self-signed sources introduces the risk of man-in-the-middle (MitM) attacks, unauthorized access, and spoofing. Keystore and truststore files contain sensitive cryptographic material, including private keys and trusted root certificates. If these files are not adequately protected at the file system level, unauthorized users may gain access and exploit them to impersonate services, decrypt communications, or alter trust relationships. Insecure permissions may also allow modification of trusted CAs, weakening the system's ability to verify legitimate certificates. Restricting keystore usage to DOD-approved certificates and enforcing strict file-level access controls helps ensure data confidentiality, integrity, and authenticity. It also aligns with DOD PKI requirements and mitigates the risk of compromise through unauthorized certificate usage or tampering with trust anchors. Satisfies: SRG-APP-000176-AS-000125, SRG-APP-000175-AS-000124, SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137

Checks: C-83611r1171540_chk

Verify Keystore Location and Permission. 1. From the Admin Console Landing Screen, navigate to Server Settings >> WebSocket. 2. If the "Use Built-in WebSocket Server" option is selected and the "SSL Port" is checked, make note of the keystore path and filename. 3. From the Admin Console Landing Screen, navigate to Server Settings >> Mail. 4. If "Sign the mail" is checked, record the keystore path and filename. 5. Review JVM truststore settings by navigating to Server Settings >> Java and JVM. 6. Check if JVM Arguments include a truststore setting. For example: -Djavax.net.ssl.trustStore=/path/to/truststore 7. If present, record the truststore path and filename. 8. If the "JVM Arguments" does not contain a truststore setting, note the path and file name of the default "cacerts" file (found under the directory "Java Virtual Machine Path" settings' subdirectory \lib\security). 9. In each of the ColdFusion instances <ColdFusion_Installation_Directory>\cfusion\runtime\conf, open the server.xml file. Verify all uncommented connector tags for the word "keystorefile". 10. Record any keystore path and filename. 11. For the keystore/ truststore used, use the keytool command to display the CA certificates for the defined keystore/truststore: keytool -list -keystore <trust/key store location> If there are no certificates issued by a CA that is part of the DOD PKI/PKE, this is a finding. 12. Verify Permissions on each keystore/truststore file: a. For Windows: The file permissions must grant Full Control only to the Administrators group and the account running the ColdFusion service. No other users or groups should have permissions. If additional permissions are present, this is a finding. b. For Linux: File permissions must be 640 or more restrictive. The owner must be root, and the group must include the ColdFusion runtime user. If permissions are more permissive than listed above, this is a finding.

Fix: F-83516r1171541_fix

Configure Keystore Location and Permission. 1. For all untrusted certificates identified, execute the following command: C:\ColdFusion2023\jre\bin\keytool -delete -alias "<certificate alias>" -keystore <keystorefile> 2. Follow the platform-specific steps below to remediate permissions. ColdFusion Running on Windows: a. Right-click the keystore or truststore file and select "Properties". b. Click the Security tab and then click "Advanced". c. In the Permissions tab, click "Disable" inheritance. Select "Remove all inherited permissions from this object". d. Click "Add". e. In the Permission Entry dialog, click "Select a principal". Enter the user account running the ColdFusion service. Assign Read permission and then click "OK". f. Click "Add" again. Click "Select a principal". Enter the Administrators group. Assign Full Control and then click "OK". g. Replace all child object permission entries with inheritable permission entries from this object. h. Click "OK" to apply the changes. Result: Only the Administrators group (Full Control) and the ColdFusion service account (Read) have access. No other permissions remain. ColdFusion Running on Linux: a. For each keystore or truststore file identified, run the following commands (adjust paths and group names as appropriate): chown root:<cfusion_group> /path/to/keystorefile chmod 640 /path/to/keystorefile Example: chown root:cfgroup /opt/coldfusion2023/jre/lib/security/cacerts chmod 640 /opt/coldfusion2023/jre/lib/security/cacerts Result: Owner is root. Group is the group that includes the ColdFusion runtime user. Permissions are 640 (read/write for owner, read for group, none for others). b. Restart ColdFusion to ensure that it starts without error. c. Verify secure mail and WebSocket connections continue to function. d. Recheck the Admin Console settings to confirm no keystore paths were altered unintentionally.

b

The ColdFusion Administrator Console must be hosted on a management network.

SC-2 - Medium - CCI-001082 - V-279064 - SV-279064r1171544_rule

RMF Control

SC-2

Severity

M

CCI

CCI-001082

Version

APAS-CF-000420

Vuln IDs

V-279064

Rule IDs

SV-279064r1171544_rule

ColdFusion is composed of two primary components: the Administrator Console and the hosted applications. Separating the Administrator Console from the hosted application environment enforces a strong security boundary, requiring users to authenticate with privileged credentials before gaining access to management functionality. This separation ensures that nonprivileged users—such as application users—are not presented with administrative interfaces or options, effectively reducing the attack surface and minimizing the potential for privilege escalation. Restricting visibility into administrative functions also limits the exposure of sensitive configuration details. In the event a nonprivileged account is compromised, the attacker gains no insight into ColdFusion's management features or internal architecture, impeding reconnaissance efforts and slowing down the progression of an attack. Hosting the Administrator Console on a dedicated management network ensures the console is accessible only from authorized administrative devices, isolates it from the application traffic and users, and reduces the risk of accidental exposure. Management networks also enforce encryption and strict access controls, providing additional protection against data leakage and unauthorized access to ColdFusion's administrative interface.

Checks: C-83612r1171543_chk

Access the Administrator Console via a web browser. Record the IP address used to reach the console. Review the network diagram for the site to verify that this IP address belongs to a dedicated management network that is segmented from any public or production networks. If the Administrator Console is not hosted on a management network separate from the public network, this is a finding.

Fix: F-83517r1170965_fix

Host the ColdFusion Administrator Console on a management network.

b

ColdFusion must have sandboxes enabled and defined.

SC-2 - Medium - CCI-001082 - V-279065 - SV-279065r1171383_rule

RMF Control

SC-2

Severity

M

CCI

CCI-001082

Version

APAS-CF-000425

Vuln IDs

V-279065

Rule IDs

SV-279065r1171383_rule

ColdFusion consists of two distinct components: the Administrator Console and the hosted applications. Separating these components is essential for enforcing strict access control and limiting exposure of administrative functionality. By requiring privileged authentication to access the Administrator Console, ColdFusion ensures that nonprivileged users cannot view or interact with system-level management features. This prevents unauthorized users from gaining insight into administrative capabilities or system configurations, reducing the risk of privilege escalation or targeted attacks. Isolating the Administrator Console within its own sandboxed environment further strengthens security by preventing hosted applications from accessing, reusing, or modifying administrative objects or code. This containment ensures that management operations and configuration data are protected from unintended or malicious interaction by hosted application processes. In the event a hosted application is compromised, this isolation prevents the attacker from pivoting into the administrative layer of the application server. This architecture enforces proper input validation and access control between application tiers and components, helping prevent unauthorized access to privileged functions, configuration data, or sensitive objects. It supports a layered defense model by limiting trust boundaries and reducing the likelihood of administrative compromise due to application-level vulnerabilities. Satisfies: SRG-APP-000211-AS-000146, SRG-APP-000516-AS-000237

Checks: C-83613r1170967_chk

Verify Sandbox Security. 1. From the Admin Console Landing Screen, navigate to Server Security >> Sandbox Security. 2. The Administrator Console must have a sandbox separate from the other hosted applications. If there are no sandboxes implemented for the Administrator Console, this is a finding. 3. Sandboxes must be set up for all other hosted applications. If there are no sandboxes implemented for other hosted applications, this is a finding. If the "Enable ColdFusion Sandbox Security" is not checked, this is a finding.

Fix: F-83518r1170968_fix

Configure Sandbox Security. 1. From the Admin Console Landing Screen, navigate to Server Security >> Sandbox Security. 2. Check the "Enable ColdFusion Sandbox Security". 3. Create sandboxes for the applications. 4. Create a sandbox for the Administrator Console. 5. Select "Submit Changes".

b

ColdFusion must separate the hosted application from the web server.

SC-2 - Medium - CCI-001082 - V-279066 - SV-279066r1171607_rule

RMF Control

SC-2

Severity

M

CCI

CCI-001082

Version

APAS-CF-000430

Vuln IDs

V-279066

Rule IDs

SV-279066r1171607_rule

Separating hosted ColdFusion applications from the web server is critical for enforcing strong access control and minimizing the risk of unauthorized access to sensitive server components. When hosted applications and the web server operate within the same execution context or process space, vulnerabilities in one can directly compromise the other. Separating the hosted application logic from the core web server components limits the application's access to only the resources it requires. This containment ensures that application-level vulnerabilities cannot be easily escalated to affect the broader server environment. It also allows for more granular security controls, input validation, and auditing. This separation supports defense-in-depth by establishing clear trust boundaries between application and server functions. It enforces the principle of least privilege, protects critical infrastructure from exploitation.

Checks: C-83614r1171300_chk

If a separate web server is used for hosted applications, requirement is Not Applicable. 1. From the Admin Console Landing Screen., navigate to Enterprise Manager >> Instance Manager. If all of the hosted applications have their own instance(s) under "Available Servers", this is not a finding. If neither web servers nor separate instances are being used, this is a finding.

Fix: F-83519r1171384_fix

If a separate web server is used for hosted applications, requirement is Not Applicable. 1. Set up the web server. For Linux: Execute the Web Server Configuration tool. In the ColdFusion install folder, find: <ColdFusion_Installation_Directory> /cfusion/runtime/bin/wsconfig For Windows: In the ColdFusion install folder, find: <ColdFusion_Installation_Directory> \cfusion\runtime\bin\wsconfig.exe 2. In the tool, click "Add". 3. Provide the application server host, instance, and cluster. 4. Enter the appropriate Web Server Properties. 5. Select "OK". 6. Set up separate instances. a. From the Admin Console Landing Screen, navigate to Enterprise Manager >> Instance Manager. b. Select "Add New Instance". c. Enter a server name. d. Choose a directory. e. Select "Submit".

b

ColdFusion must be configured to mutually authenticate connecting proxies and load balancers.

SC-23 - Medium - CCI-001184 - V-279067 - SV-279067r1171547_rule

RMF Control

SC-23

Severity

M

CCI

CCI-001184

Version

APAS-CF-000445

Vuln IDs

V-279067

Rule IDs

SV-279067r1171547_rule

Mutual authentication between connecting proxies, application servers, or gateways is essential for ensuring secure communication and preventing unauthorized access. Without mutual authentication, there is a risk that an attacker could impersonate a trusted component, leading to potential data breaches and other security incidents. Mutual authentication helps verify the identities of both parties involved in the communication, ensuring that only trusted entities can interact with ColdFusion. This process involves the exchange of certificates and the validation of these certificates against a trusted certificate authority. By implementing mutual authentication, ColdFusion can establish a secure and trusted communication channel, protect sensitive data and maintain the integrity of the system. Therefore, it is crucial to configure ColdFusion to mutually authenticate all connecting proxies, application servers, or gateways to enhance security and prevent unauthorized access.

Checks: C-83615r1171545_chk

Validate SSL Certificate. 1. Identify any proxy servers or load balancers that provide services for the Tomcat server. If there are no load balancers or proxies in use, this is not a finding. 2. Identify each ColdFusion IP address that is served by a load balancer or proxy. Locate the configuration file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 3. Open the server.xml file in a text editor and review each <Connector> element for the address setting and the clientAuth setting. If a connector has a configured IP address that is proxied or load balanced and the clientAuth setting is not "true", this is a finding. 4. Locate the configuration file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\web.xml 5. Open the web.xml file in a text editor. If "<login-config><auth-method>CLIENT-CERT</auth-method></login-config>" is not present under the web-app tag, this is a finding.

Fix: F-83520r1171546_fix

Configure SSL Certificate. For server.xml: 1. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Before making changes, back up the file to prevent accidental misconfiguration. 3. Open server.xml in a text editor with administrative privileges. For web.xml: 1. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\web.xml 2. Before making changes, back up the file to prevent accidental misconfiguration. 3. Open web.xml in a text editor with administrative privileges. 4. Ensure the <login-config><auth-method>CLIENT-CERT</auth-method></login-config> is present under the web-app tag. 5. Save and close the file. Restart ColdFusion to apply the changes.

c

ColdFusion must generate a unique session identifier using a FIPS 140-2/140-3 or higher approved random number generator.

SC-23 - High - CCI-001188 - V-279068 - SV-279068r1172825_rule

RMF Control

SC-23

Severity

H

CCI

CCI-001188

Version

APAS-CF-000465

Vuln IDs

V-279068

Rule IDs

SV-279068r1172825_rule

ColdFusion uses session IDs to communicate between modules or applications within ColdFusion and between ColdFusion and users. The session ID allows the application to track the communications along with credentials that may have been used to authenticate users or modules. Unique session IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of said identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.

Checks: C-83616r1171548_chk

Review the random number generator for generating session identifiers. 1. Locate the java.security file for the Java Runtime Environment (JRE) used by ColdFusion located at: <ColdFusion_Installation_Directory>\jre\conf\security\java.security 2. Open the java.security file in a text editor. 3. Locate the following setting: securerandom.strongAlgorithms 4. Verify that the value includes a FIPS 140-2/140-3 or higher approved random number generator. For example: securerandom.strongAlgorithms=DRBG:SUN If the securerandom.strongAlgorithms setting does not exist or does not specify a FIPS 140-2/140-3 or higher approved algorithm, this is a finding.

Fix: F-83521r1172824_fix

Configure the random number generator for generating session identifiers. 1. Open the java.security file located at: <ColdFusion_Installation_Directory>\jre\conf\security\java.security 2. Locate or add the securerandom.strongAlgorithms property and configure it to use a FIPS-approved RNG. For example: securerandom.strongAlgorithms=DRBG:SUN 3. Save the file and restart ColdFusion to apply changes.

b

ColdFusion systems must provide clustering.

SC-24 - Medium - CCI-001190 - V-279069 - SV-279069r1171551_rule

RMF Control

SC-24

Severity

M

CCI

CCI-001190

Version

APAS-CF-000475

Vuln IDs

V-279069

Rule IDs

SV-279069r1171551_rule

Clustering enables ColdFusion to distribute workloads across multiple application server instances, providing load balancing, session replication, and failover capabilities. Without clustering, ColdFusion operates as a single point of failure. Clustering ensures service continuity by allowing traffic to be rerouted to healthy nodes in the event of a failure. It also enhances performance by distributing resource-intensive operations across multiple servers, reducing response times and increasing application scalability. This capability supports the organization's high availability and disaster recovery objectives by reducing the risk of downtime or service degradation. Clustering supports secure session management by enabling session failover and persistence. This helps maintain user experience and security during node transitions, ensuring continuity of authenticated sessions without requiring users to reauthenticate. ColdFusion must be capable of supporting clustering to meet enterprise availability requirements, enable horizontal scaling, and ensure that critical applications remain resilient under varying load and failure conditions. Satisfies: SRG-APP-000225-AS-000154, SRG-APP-000435-AS-000069

Checks: C-83617r1171550_chk

Verify that systems are configured to support redundancy through clustering or load balancing. 1. Confirm whether the system is designated as mission critical and requires high availability. 2. From the Admin Console Landing Screen, navigate to Enterprise Manager >> Cluster Manager. 3. Verify clusters are defined and each cluster includes more than one server. 4. If no clusters are defined or a cluster contains only one server, interview the system administrator to determine whether the server is part of an external load balancer configuration. 5. Verify that the load balancer includes multiple backend servers for redundancy. If the system is mission critical and no clusters are configured, and the server is not part of an external load balancer with more than one backend server, this is a finding.

Fix: F-83522r1171389_fix

If using an external load balancer, configure and associate multiple servers behind the load balancer to ensure redundancy and high availability. 1. Confirm that the load balancer distributes traffic across all configured servers. If using ColdFusion clustering capabilities, from the Admin Console Landing Screen, navigate to Enterprise Manager >> Cluster Manager. 2. Enter a Cluster Name and click "Add". 3. Under "Actions", click the Edit icon for the new cluster. 4. Add the required servers to the cluster configuration. 5. Click "Submit" to save the cluster. 6. Edit an Existing Cluster (if applicable). Under "Actions", click the Edit icon next to the existing cluster. 7. Add additional servers to ensure the cluster contains more than one server. 8. Click "Submit" to update the configuration.

b

ColdFusion must be configured to support integration with a third-party Security Information and Event Management (SIEM) to support notifications.

SC-28 - Medium - CCI-001199 - V-279070 - SV-279070r1172833_rule

RMF Control

SC-28

Severity

M

CCI

CCI-001199

Version

APAS-CF-000490

Vuln IDs

V-279070

Rule IDs

SV-279070r1172833_rule

ColdFusion must be capable of integrating with a third-party SIEM solution to provide centralized log collection, event correlation, and real-time alerting. Without integration into a SIEM, audit records generated by ColdFusion may remain isolated on the local system, limiting visibility and hindering the ability of security personnel to detect, investigate, and respond to suspicious activity or system misconfigurations. Timely notifications of security-relevant events are critical for incident response and continuous monitoring. If ColdFusion is not configured to transmit these logs or events to an external monitoring platform, malicious activity may go undetected until after significant damage has occurred. SIEM integration also supports compliance with audit and accountability requirements by ensuring audit data is retained in a secure, tamper-evident location outside the local ColdFusion instance. In the event of system compromise, this external logging provides a reliable forensic trail and helps validate system integrity. Satisfies: SRG-APP-000231-AS-000156, SRG-APP-000108-AS-000067, SRG-APP-000125-AS-000084, SRG-APP-000126-AS-000085, SRG-APP-000181-AS-000255, SRG-APP-000290-AS-000174, SRG-APP-000358-AS-000064, SRG-APP-000360-AS-000066, SRG-APP-000515-AS-000203, SRG-APP-000795-AS-000130

Checks: C-83618r1172831_chk

Verify SIEM. 1. On the host server, for each of the ColdFusion instances installed, verify /etc/rsyslog.d/101-<instance name>.conf exists and contains the following contents: module(load="imfile" PollingInterval="10") input(type="imfile" File="<CF install path>/<instance name>/logs/coldfusion-out.log" Tag="coldfusion-out" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/coldfusion-error.log" Tag="coldfusion-error" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/cfpm-audit.log" Tag="cfpm-audit" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/audit.log" Tag="audit" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/http.log" Tag="http" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/mail.log" Tag="mail" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/monitor.log" Tag="monitor" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/server.log" Tag="server" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/usagedata.log" Tag="usagedata" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/update.log" Tag="update" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/application.log" Tag="application" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/exception.log" Tag="exception" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/reporting.log" Tag="reporting" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/axis2.log" Tag="axis2" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/eventgateway.log" Tag="eventgateway" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/license.log" Tag="license" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/security.log" Tag="security" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/webservice.log" Tag="webservice" Facility="<instance name>") If the file contents do not monitor all logs in <CF install path>/<instance name>/logs, this is a finding. 2. Inspect /etc/rsyslog.conf or the files in /etc/rsyslog.d/. If there is no forwarding action with type="omfwd", the rsyslog destination is not configured to send logs to a valid syslog server and this is a finding. For additional information, refer to https://www.rsyslog.com/sending-messages-to-a-remote-syslog-server/.

Fix: F-83523r1172832_fix

Configure SIEM. 1. Create /etc/rsyslog.d/101-<instance name>.conf for each of the configured ColdFusion instances with these contents, ensuring the final line points to a valid syslog server. Example: module(load="imfile" PollingInterval="10") cat > /etc/rsyslog.d/101-cfusion.conf << EOF module(load="imfile" PollingInterval="10") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/coldfusion-out.log" Tag="coldfusion-out" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/coldfusion-error.log" Tag="coldfusion-error" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/cfpm-audit.log" Tag="cfpm-audit" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/audit.log" Tag="audit" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/http.log" Tag="http" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/mail.log" Tag="mail" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/monitor.log" Tag="monitor" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/server.log" Tag="server" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/usagedata.log" Tag="usagedata" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/update.log" Tag="update" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/application.log" Tag="application" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/exception.log" Tag="exception" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/reporting.log" Tag="reporting" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/axis2.log" Tag="axis2" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/eventgateway.log" Tag="eventgateway" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/license.log" Tag="license" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/security.log" Tag="security" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/webservice.log" Tag="webservice" Facility="cfusion") 2. Add the following to /etc/rsyslog.conf: *.* action(type="omfwd" target="<remote rsyslog IP address>" port="10514" protocol="tcp") 3. Restart rsyslog to apply changes: sudo systemctl restart rsyslog.

b

ColdFusion must have the Tomcat DefaultServlet debug parameter disabled.

SI-11 - Medium - CCI-001312 - V-279071 - SV-279071r1171608_rule

RMF Control

SI-11

Severity

M

CCI

CCI-001312

Version

APAS-CF-000510

Vuln IDs

V-279071

Rule IDs

SV-279071r1171608_rule

Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages must be carefully considered by the organization and development team. The release of Tomcat that comes with ColdFusion can be configured to output Tomcat-specific debug messages. If left enabled, these settings can expose sensitive data within error and log messages.

Checks: C-83619r1171556_chk

Review the debug parameter for the DefaultServlet and verify it is disabled. 1. Locate the web.xml file for each ColdFusion instance located at: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\web.xml 2. Open the web.xml file in a text editor. 3. Search for the following servlet definition: <servlet> <servlet-name>default</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> 4. Within this block, locate the <init-param> with the <param-name>debug</param-name> element. 5. Verify the corresponding <param-value> is set to 0. For example: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> If the debug parameter is set to any value other than 0, or is not explicitly defined, this is a finding.

Fix: F-83524r1171557_fix

Configure DefaultServlet to disable debug output. 1. Open the web.xml file located at: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\web.xml 2. Locate the DefaultServlet definition and ensure the debug parameter is set as follows: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> 3. Save the changes and restart ColdFusion to apply the configuration.

b

The ColdFusion error messages must be restricted to only authorized users.

SI-11 - Medium - CCI-001314 - V-279072 - SV-279072r1170990_rule

RMF Control

SI-11

Severity

M

CCI

CCI-001314

Version

APAS-CF-000535

Vuln IDs

V-279072

Rule IDs

SV-279072r1170990_rule

If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Application servers must protect the error messages that are created by ColdFusion. All application server users' accounts are used for the management of the server and the applications residing on ColdFusion. All accounts are assigned to a certain role with corresponding access rights. ColdFusion must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. ColdFusion will usually create new log files as needed and must take steps to ensure that the proper file permissions are used when the log files are created. Satisfies: SRG-APP-000267-AS-000170, SRG-APP-000033-AS-000024, SRG-APP-000090-AS-000051, SRG-APP-000315-AS-000094, SRG-APP-000516-AS-000237

Checks: C-83620r1170988_chk

Verify User Roles and Services. 1. From the Admin Console Landing Screen, navigate to Security >> User Manager. 2. Review the roles assigned to each user against the information system security manager (ISSM)-approved list of user accounts and roles to determine if any user has excessive authorization. If users exist that are not approved by the ISSM, this is a finding. If any user has roles assigned that are not approved by the ISSM, this is a finding. 3. Review each defined user and ask the system administrator (SA) if the user must have access the following roles: - Debugging and Logging >>Logging. - Data & Services >> Data Sources. - Server Settings. If any users have any of these roles that should not, this is a finding. 4. Review each defined user by using the Edit function. For each user that has values for "Allowed Services", validate with the SA that the user must have remote access to each service. If there are any users with services that are not required to perform the users' duties, this is a finding.

Fix: F-83525r1170989_fix

Configure User Roles and Services. 1. From the Admin Console Landing Screen, navigate to Security >> User Manager. 2. Remove any user not approved by the information system security officer (ISSO)/ISSM. 3. Enable only those roles for each user approved by the ISSO/ISSM. 4. Remove the following roles from each user that should not have access to them: - Debugging and Logging >>Logging. - Data & Services >> Data Sources. - Server Settings. 5. Only assign services to those users who require access and only assign those services that are required to perform the user's duties.

b

ColdFusion must set a maximum session timeout value.

SC-5 - Medium - CCI-002385 - V-279073 - SV-279073r1171560_rule

RMF Control

SC-5

Severity

M

CCI

Version

APAS-CF-000555

Vuln IDs

V-279073

Rule IDs

SV-279073r1171560_rule

An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, ColdFusion must be configured to close the sessions when a configured condition or trigger event is met. Such an event is user inactivity. ColdFusion offers an inactivity parameter that allows the setting systemwide for session timeout. ColdFusion also allows a developer to override the default timeout setting and set a new timeout. A maximum setting is provided to control how large a developer can set the timeout.

Checks: C-83621r1170991_chk

Validate the Session Variable Timeout configuration. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables. 2. Under the "Maximum Timeout" section, locate the setting for "Session Variables". If the timeout value for Session Variables is set to greater than 1 hour, this is a finding.

Fix: F-83526r1171559_fix

Configure the Session Variable Timeout configuration. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables. 2. Under the "Maximum Timeout" section, locate the setting for "Session Variables". 3. Set the "Session Variables" to "1" hour or fewer. 4. Select "Submit Changes".

b

ColdFusion must control remote access to the Administrator Console.

AC-17 - Medium - CCI-002314 - V-279074 - SV-279074r1171609_rule

RMF Control

AC-17

Severity

M

CCI

CCI-002314

Version

APAS-CF-000580

Vuln IDs

V-279074

Rule IDs

SV-279074r1171609_rule

Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by logging connection activities of remote users. By default, localhost and all IP addresses can access the Administrator Console. Depending on the authentication method (i.e., single password, separate username and password per user, or no authentication needed), any user from any network can access the console and make changes to the server configuration relying only on the authentication method configured for the installation. By limiting the IP addresses that can connect, the administration console can be hosted to a management network and only accessed via that network, further reducing the exposure of the Administrator Console.

Checks: C-83622r1171561_chk

Verify Allowed IP Addresses for Console. From the Admin Console Landing Screen, navigate to Security >> Allowed IP Addresses. If the list of allowed IP addresses is blank (NULL), is set to a wildcard value, or contains IP addresses/subnets that should not have access, this is a finding.

Fix: F-83527r1171562_fix

Configure Allowed IP Addresses for Console. 1. From the Admin Console Landing Screen, navigate to Security >> Allowed IP Addresses. 2. Add allowed IP addresses for accessing ColdFusion Administrator and ColdFusion Internal Directories (only IP addresses or subnets that should be capable of reaching the Administrator Console). 3. Remove any IP addresses that are blank (NULL) or set to a wildcard value.

c

ColdFusion must control remote access to Exposed Services.

AC-17 - High - CCI-002314 - V-279075 - SV-279075r1171564_rule

RMF Control

AC-17

Severity

H

CCI

CCI-002314

Version

APAS-CF-000585

Vuln IDs

V-279075

Rule IDs

SV-279075r1171564_rule

ColdFusion exposes many existing services as web services. These services, such as cfpdf, cfmail, and cfpop, can be accessed by users and applications written in other languages and technologies than ColdFusion CFML. To invoke the services, the client must be on the allowed IP list and have a user account with the proper privileges to the exposed services. Exposing these services expands the security risk and potential for compromise of the ColdFusion application server. If a need arises for these services, the list of allowed IP addresses must be specified and limited to only those requiring access. Satisfies: SRG-APP-000315-AS-000094, SRG-APP-000516-AS-000237

Checks: C-83623r1170997_chk

Verify Allowed IP Addresses for Exposed Services. 1. From the Admin Console Landing Screen, navigate to Security >> Allowed IP Addresses. 2. If there are any entries in the "Allowed IP Addresses for Exposed Services" section, validate with the system administrator (SA) that the IP addresses and subnets specified require access. If an unauthorized Subnets/IP address or wildcard value is present, this is a finding.

Fix: F-83528r1171393_fix

Configure Allowed IP Addresses for Exposed Services. 1. From the Admin Console Landing Screen, navigate to Security >> Allowed IP Addresses. Only those IP addresses or subnets that have access to Exposed Services must be listed. 2. Remove any IP addresses that are blank (NULL) or set to a wildcard value.

a

ColdFusion must allocate log record storage capacity.

AU-4 - Low - CCI-001849 - V-279076 - SV-279076r1172835_rule

RMF Control

AU-4

Severity

L

CCI

CCI-001849

Version

APAS-CF-000610

Vuln IDs

V-279076

Rule IDs

SV-279076r1172835_rule

Proper management of log records not only dictates proper archiving processes and procedures be established, but it also requires allocating enough storage space to maintain the logs online for a defined period of time. If adequate online log storage capacity is not maintained, intrusion monitoring, security investigations, and forensic analysis can be negatively affected. It is important to keep a defined amount of logs online and readily available for investigative purposes. The logs may be stored on ColdFusion until they can be archived to a log system or, in some instances, a Storage Area Network (SAN). Regardless of the method used, log record storage capacity must be sufficient to store log data when the data cannot be off-loaded to a log system or a SAN. ColdFusion handles logs by allowing the administrator to specify a log file size and how many archives to keep online. This allows the administrator to correctly size the storage needed to meet the requirements of the organization for how log audit files should be available online and configure the storage needed to meet the requirement before off-loading archives to offline storage.

Checks: C-83624r1171565_chk

Review the ColdFusion log configuration to verify sufficient storage is allocated for log records and that log data will not exceed available space. 1. From the ColdFusion Admin Console landing screen, navigate to Debugging & Logging >> Logging Settings. 2. Locate the following settings: - Log directory: Note the location where logs are written. - Maximum number of archives: Note the value configured. - Maximum file size (in kilobytes): Note the value configured. 3. Next, navigate to Debugging & Logging >> Log Files. 4. Count the number of log files currently present. 5. Calculate the total potential storage consumption using the following formula: (Maximum number of archives) × (Maximum file size in KB) × (Number of log files) 6. Compare this value to the total available space on the storage volume where the log directory resides. If the calculated potential log storage exceeds the available storage for the log directory, this is a finding.

Fix: F-83529r1172834_fix

Configure ColdFusion to allocate log record storage capacity that does not exceed the available space on the log directory's storage volume. 1. From the ColdFusion Admin Console landing screen, navigate to Debugging & Logging >> Logging Settings. 2. Review and adjust the following settings: - Maximum number of archives. - Maximum file size (in kilobytes). 3. Ensure the calculated total log storage remains within the available storage space of the log directory. 4. Optionally, relocate the log directory to a volume with greater capacity if needed. 5. Save changes and monitor log growth over time to verify compliance.

b

ColdFusion must record time stamps for log records that can be mapped system time.

AU-8 - Medium - CCI-001890 - V-279077 - SV-279077r1171570_rule

RMF Control

AU-8

Severity

M

CCI

CCI-001890

Version

APAS-CF-000640

Vuln IDs

V-279077

Rule IDs

SV-279077r1171570_rule

Using a consistent time standard such as UTC or GMT for the internal clock of ColdFusion is crucial for maintaining accurate and reliable system logs. This consistency is essential for correlating events across different systems and networks, especially in environments where systems are geographically dispersed. If the internal clock is not set to a standard time, it can lead to discrepancies in log files, making it difficult to trace and investigate security incidents. Additionally, using a nonstandard time setting can complicate the synchronization of time-sensitive operations and affect the overall security posture of ColdFusion. Therefore, setting the internal clock to UTC or GMT helps ensure the integrity and reliability of system logs and enhances the ability to detect and respond to security events effectively.

Checks: C-83625r1171568_chk

Verify JVM Arguments for Time zone. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM. If the JVM argument -"Duser.timezone=<TIMEZONE>" cannot be found , this is a finding.

Fix: F-83530r1171569_fix

Configure JVM Arguments for Time zone. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM. 2. Add the argument as: "Duser.timezone=<TIMEZONE>" (If the parameter is already defined, change the setting to "<TIMEZONE>".) 3. Select "Submit Changes".

b

For PKI-based authentication, ColdFusion must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

IA-5 - Medium - CCI-001991 - V-279078 - SV-279078r1172827_rule

RMF Control

IA-5

Severity

M

CCI

CCI-001991

Version

APAS-CF-000680

Vuln IDs

V-279078

Rule IDs

SV-279078r1172827_rule

Ensuring that for PKI-based authentication, ColdFusion implements a local cache of revocation data is essential for maintaining the security and integrity of the authentication process. PKI relies on the ability to verify the validity of certificates, which includes checking for certificate revocation. If the system cannot access revocation information via the network, it may be unable to determine whether a certificate is still valid, potentially allowing the use of compromised or revoked certificates. By implementing a local cache of revocation data, ColdFusion can support path discovery and validation even when network access to revocation information is unavailable. This practice helps ensure that the system can continue to verify the validity of certificates and maintain the security of the authentication process. It aligns with best security practices and helps prevent unauthorized access to sensitive information.

Checks: C-83626r1171572_chk

Verify ColdFusion is configured to support certificate revocation checking using locally cached Certificate Revocation Lists (CRLs). 1. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml. 2. Open the server.xml file in a text editor. 3. Identify all <Connector> elements that are configured for SSL. Within each <Connector>, check for an embedded <SSLHostConfig> element. 4. Review the <SSLHostConfig> element for the presence of one of the following attributes: certificateRevocationListFile certificateRevocationListPath (These attributes specify the location of locally cached CRL files that will be used for certificate revocation checking.) If no <SSLHostConfig> is present, or if neither certificateRevocationListFile nor certificateRevocationListPath is configured, this is a finding.

Fix: F-83531r1172826_fix

Configure ColdFusion to use a locally cached CRL for certificate revocation checking. 1. Open the server.xml file located at: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Locate each <Connector> element configured for SSL. 3. Ensure an <SSLHostConfig> element is present and includes one of the following attributes: certificateRevocationListFile="<path_to_crl_file>" certificateRevocationListPath="<path_to_crl_directory>" Example: <SSLHostConfig> <Certificate certificateKeystoreFile="..." type="RSA" /> <CertificateRevocation certificateRevocationListFile="/opt/cf/crl/mycrl.pem" /> </SSLHostConfig> 4. Save the file and restart ColdFusion to apply the changes.

b

ColdFusion must set Request Tuning configurations.

SC-5 - Medium - CCI-002385 - V-279079 - SV-279079r1171576_rule

RMF Control

SC-5

Severity

M

CCI

Version

APAS-CF-000735

Vuln IDs

V-279079

Rule IDs

SV-279079r1171576_rule

To reduce the possibility or effect of a denial of service (DoS), ColdFusion must employ defined security safeguards. These safeguards will be determined by the placement of ColdFusion and the type of applications being hosted within ColdFusion framework. Report threads are used to process reports concurrently. Since reporting in most applications is a process that is not time sensitive or heavily used, this setting should be minimized to minimize resource use on ColdFusion and to minimize a method that could be used to exhaust resources by an attacker. Unless reporting is heavily used, the number of simultaneous report threads must be set to 1.

Checks: C-83627r1171575_chk

Verify Request Tuning Configurations. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. If "Maximum number of simultaneous Report threads" is not set to "1", this is a finding. If the "Maximum number of simultaneous Template requests" is not set to the maximum number of requests (or 24, whichever is higher), this is a finding. If "Timeout requests waiting in queue after" setting is higher than "5", this is a finding. 2. Validate that "Request Queue Timeout Page" is set to a valid and custom page. If "Request Queue Timeout Page" is blank or is set to "/CFIDE/administrator/templates/request_timeout_error.cfm", this is a finding. 3. Validate the file exists. The path and file given are relevant to the web servers' document root directory and not the OS root directory. For example, if the web servers' document root is /opt/webserver/wwwroot and the "Request Queue Timeout Page" is set to /CFIDE/administrator/templates/timeout_error.cfm, the full path to the template file is /opt/webserver/wwwroot/CFIDE/administrator/templates/timeout_error.cfm. If the "Request Queue Timeout Page" setting is not set to a valid page, this is a finding.

Fix: F-83532r1171305_fix

Set Request Tuning Configurations. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. 2. Set "Maximum number of simultaneous Report threads" to "1". 3. Set "Maximum number of simultaneous Template requests" to the appropriate amount or 24, whichever is higher. 4. Set "Timeout requests waiting in queue after" to "5" or fewer. 5. Set "Request Queue Timeout Page" to a custom and valid page. 6. Select "Submit Changes".

b

ColdFusion must limit the maximum number of threads available for CFTHREAD.

SC-5 - Medium - CCI-002385 - V-279080 - SV-279080r1171402_rule

RMF Control

SC-5

Severity

M

CCI

Version

APAS-CF-000740

Vuln IDs

V-279080

Rule IDs

SV-279080r1171402_rule

Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, ColdFusion must employ defined security safeguards. These safeguards will be determined by the placement of ColdFusion and the type of applications being hosted within ColdFusion framework. The CFTHREAD service allows a programmer to create threads of code that execute independently. If this feature is being used, the maximum number of threads should be tuned. If set too high, this may lead to a context-switching situation. When this feature is not in use, the maximum number of threads must be 1.

Checks: C-83628r1171012_chk

Verify that CFTHREAD settings are appropriately configured when threading is not used by hosted applications. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. 2. Confirm with the administrator whether any hosted applications are using CFTHREAD for multithreading. If CFTHREAD is in use, this is not a finding. 3. If CFTHREAD is not used, verify that "Maximum number of threads available for CFTHREAD" is set to "1" to effectively disable threading. If CFTHREAD is not used, and the "Maximum number of threads available for CFTHREAD" is set to a value other than "1", this is a finding.

Fix: F-83533r1171401_fix

Configure CFTHREAD settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. 2. Set Maximum number of threads available for CFTHREAD to "1" to disable unnecessary threading. 3. Click "Submit Changes".

b

ColdFusion must limit the maximum number of Web Service requests.

SC-5 - Medium - CCI-002385 - V-279081 - SV-279081r1171481_rule

RMF Control

SC-5

Severity

M

CCI

Version

APAS-CF-000745

Vuln IDs

V-279081

Rule IDs

SV-279081r1171481_rule

Unrestricted web service request handling in ColdFusion can lead to resource exhaustion, degraded performance, or denial-of-service (DoS) conditions. Web services are common targets for automated attacks, excessive load, or abuse through scripted queries and recursive payloads. If there is no limit on the number of web service requests a ColdFusion server will process, an attacker may overwhelm system resources such as memory, CPU, or network bandwidth, leading to service disruption. Limiting the maximum number of allowable web service requests per session, per client, or per time interval helps enforce resource control, prevent abuse, and maintain application availability. It also ensures that ColdFusion can prioritize legitimate traffic and maintain performance under heavy load. Applying limits on web service request volume reduces the attack surface and aligns with secure coding practices by ensuring application functionality is intentionally constrained to support operational requirements without exposing the system to unnecessary risk.

Checks: C-83629r1171015_chk

Determine Web Services usage. 1. Interview the system administrator (SA), and/or review any of the following documentation: - Hosted application source code. - Hosted application design documentation. - Published web services design documentation. - ColdFusion baseline documentation. 2. Confirm whether Web Services are published by any hosted applications. If Web Services are being published, this requirement is not a finding. 3. If Web Services are not being published, from the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. 4. Locate the "Maximum number of simultaneous Web Service requests" setting and verify the value is set to "1". If Web Services are not in use and the value is not set to "1", this is a finding.

Fix: F-83534r1171016_fix

Configure Web Services usage. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. 2. Locate the "Maximum number of simultaneous Web Service requests" setting. 3. Set the value to "1" to prevent unnecessary web service threads. 4. Click "Submit Changes" to save the configuration.

b

ColdFusion must limit the maximum number of ColdFusion Component (CFC) function requests.

SC-5 - Medium - CCI-002385 - V-279082 - SV-279082r1171310_rule

RMF Control

SC-5

Severity

M

CCI

Version

APAS-CF-000750

Vuln IDs

V-279082

Rule IDs

SV-279082r1171310_rule

CFCs enable modular development by exposing functions that can be called locally or remotely. If the number of allowable CFC function requests is not limited, the application becomes vulnerable to abuse through excessive or malicious input. Attackers can exploit this by sending high volumes of CFC requests to exhaust server resources resulting in degraded performance or denial-of-service (DoS) conditions. Unrestricted access to CFC methods may also provide a path for attackers to probe the application for vulnerabilities, perform automated enumeration, or repeatedly invoke resource-intensive functions. This not only disrupts service availability but also increases the risk of lateral movement and further compromise within the application. Enforcing a limit on the number of allowable CFC function requests per session, per user, or per time period helps prevent resource exhaustion and supports predictable application behavior under load. If this feature is being used, the number of simultaneous requests should be tuned using load testing to find the optimal value for the setting. When the feature is not in use, the maximum number must be set to 1.

Checks: C-83630r1171309_chk

Determine whether CFC functions are being called directly over HTTP or HTTPS by any hosted application. This can be verified by interviewing the system administrator (SA); or reviewing application source code, design documentation, or ColdFusion baseline documentation. If CFC requests are used by hosted applications, this is not a finding. 1. If CFC requests are not used by hosted applications, from the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. 2. Verify " Maximum number of simultaneous CFC function requests" is set to "1". If CFC requests are not used by hosted applications and the "Maximum number of simultaneous CFC function requests" is not set to "1", this is a finding.

Fix: F-83535r1171019_fix

1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. 2. Set "Maximum number of simultaneous CFC function requests" to "1". 3. Click "Submit Changes".

b

ColdFusion must configure Data Sources to limit SQL command and configure timeout.

SC-5 - Medium - CCI-002385 - V-279083 - SV-279083r1171449_rule

RMF Control

SC-5

Severity

M

CCI

Version

APAS-CF-000755

Vuln IDs

V-279083

Rule IDs

SV-279083r1171449_rule

Data sources configured within ColdFusion can be exploited if not properly restricted. Allowing unrestricted SQL commands increases the risk of unauthorized data manipulation, privilege escalation, or destructive operations. If a data source permits these types of commands without explicit need, an attacker who compromises the application could use it to alter the database schema, escalate access, or destroy critical data. Failing to enforce query timeout values allows poorly constructed or maliciously crafted SQL statements to consume excessive resources. Long-running queries can degrade database performance or cause denial-of-service (DoS) conditions, impacting application availability for legitimate users. Limiting SQL commands to only those required for application functionality, and enforcing strict query timeouts, ensures that ColdFusion applications operate within expected bounds, maintain system stability, and protect backend data resources. These controls help reduce the attack surface and enforce the principle of least privilege across the application's database interactions. Satisfies: SRG-APP-000435-AS-000163, SRG-APP-000172-AS-000120

Checks: C-83631r1171021_chk

Verify that all defined data sources are configured. 1. From the Admin Console Landing Screen, navigate to Data & Services >> Data Sources. 2. Determine if any data sources are defined. If no data sources are defined, this is not a finding. 3. For each Connected Data Source, edit the data source by clicking "Show Advanced Settings" to display all configuration options. 4. Check whether the data source provides an option to specify a query timeout. If the query timeout setting is not available, this is not a finding. 5. If the query timeout setting is available, verify that the value is not set to "0", which indicates no timeout. If any data source has a query timeout configured with a value of "0", this is a finding. 6. Review "Login Timeout (sec)". If there are any data sources with a "Login Timeout (sec)" set higher than 5, this is a finding. If any of the data sources have CREATE, GRANT, DROP, REVOKE or ALTER checked, this is a finding.

Fix: F-83536r1171448_fix

Configure data sources. 1. From the Admin Console Landing Screen, navigate to Data & Services >> Data Sources. 2. For each data source, edit the data source configuration: a. Click "Show Advanced Settings" to display all options. b. If the query timeout parameter is available, set the timeout value to a number greater than 0 to ensure queries do not run indefinitely. c. Set "Login Timeout (sec)" to less than 5. d. Uncheck the options allowing SQL commands: CREATE GRANT DROP REVOKE ALTER d. Click "Submit" to save changes.

b

ColdFusion must not store user information in the server registry.

SC-5 - Medium - CCI-002385 - V-279084 - SV-279084r1171578_rule

RMF Control

SC-5

Severity

M

CCI

Version

APAS-CF-000760

Vuln IDs

V-279084

Rule IDs

SV-279084r1171578_rule

Client variables in ColdFusion are used to persist user-specific information between requests and sessions. If the default storage mechanism for these client variables is set to the Windows registry, it introduces a number of security and performance risks. The Windows registry is not designed for high-frequency, dynamic data storage and lacks adequate security controls for storing sensitive session data. Storing client variables in the registry increases the risk of unauthorized access or data corruption, especially in environments where multiple services or users share access to the system. Improper configuration of the client variable purge interval can lead to excessive accumulation of stale data. If outdated session data is not purged in a timely manner it may result in degraded system performance, resource exhaustion, or inadvertent exposure of residual user data. Ensuring that client variables are stored in a more secure and scalable location (e.g., database or in-memory store) and that the purge interval is properly configured helps protect user data, improve system performance, and reduce the attack surface of the ColdFusion application environment.

Checks: C-83632r1171577_chk

Verify Client Variable Settings. From the Admin Console Landing Screen, navigate to Server Settings >> Client Variables. If the default storage mechanism for client sessions is set to "Registry", this is a finding. If the "Purge Interval" is not set to 1 hour and 7 minutes, this is a finding.

Fix: F-83537r1171403_fix

Configure Client Variable settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Client Variables. 2. Set the default storage mechanism for client sessions to any available mechanism other than the registry. 3. Set "Purge Interval" to 1 hour and 7 minutes. 4. Select "Apply".

b

ColdFusion must limit the in-memory size of the virtual file system.

SC-5 - Medium - CCI-002385 - V-279085 - SV-279085r1171029_rule

RMF Control

SC-5

Severity

M

CCI

Version

APAS-CF-000795

Vuln IDs

V-279085

Rule IDs

SV-279085r1171029_rule

Limiting the in-memory size of the virtual file system is essential to prevent resource exhaustion and potential denial-of-service (DoS) attacks. Without a limit, the virtual file system can consume excessive memory, leading to performance degradation or server crashes. By setting a maximum in-memory limit, the server can manage its resources more effectively, ensuring that it remains responsive and available to handle client requests efficiently.

Checks: C-83633r1171027_chk

Verify Memory Limit settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. 2. Interview the administrator to determine how much space if needed for the in-memory virtual file system. If the "Memory Limit for In-Memory Virtual File System" is set to a number larger than required, this is a finding.

Fix: F-83538r1171028_fix

Configure Memory Limit settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. 2. Set "Memory Limit for In-Memory Virtual File System" to the required amount. 3. Select "Submit Changes".

b

ColdFusion must limit the default maximum thread count for parallel functions.

SC-5 - Medium - CCI-002385 - V-279086 - SV-279086r1171032_rule

RMF Control

SC-5

Severity

M

CCI

Version

APAS-CF-000800

Vuln IDs

V-279086

Rule IDs

SV-279086r1171032_rule

Setting a default maximum thread count for parallel functions is essential to prevent resource exhaustion and potential denial-of-service (DoS) attacks. Without a limit, parallel functions can spawn an excessive number of threads, consuming server resources and potentially leading to performance degradation or crashes. By configuring a maximum thread count, the server can manage its resources more effectively, ensuring that it remains responsive and available to handle client requests efficiently.

Checks: C-83634r1171030_chk

Verify Default Maximum Thread Count For Parallel Functions settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. 2. Interview the administrator to determine what the default maximum threads are required parallel functions. If the "Default Maximum Thread Count For Parallel Functions" is set to a number larger than required, this is a finding.

Fix: F-83539r1171031_fix

Configure Default Maximum Thread Count For Parallel Functions. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. 2. Set "Default Maximum Thread Count For Parallel Functions" to the required amount. 3. Select "Submit Changes".

b

ColdFusion must limit the maximum post data size.

SC-5 - Medium - CCI-002385 - V-279087 - SV-279087r1171035_rule

RMF Control

SC-5

Severity

M

CCI

Version

APAS-CF-000810

Vuln IDs

V-279087

Rule IDs

SV-279087r1171035_rule

Limiting the maximum post data size is essential to prevent resource exhaustion and potential denial-of-service (DoS) attacks. Without a limit, excessively large post data can consume server resources, leading to performance degradation or crashes. By setting a maximum post data size, the server can manage its resources more effectively, ensuring that it remains responsive and available to handle client requests efficiently.

Checks: C-83635r1171033_chk

Verify Default Maximum size of post data settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. 2. Interview the administrator to determine what the maximum post data size is required for the hosted applications. If the "Maximum size of post data" is set to a number larger than required, this is a finding.

Fix: F-83540r1171034_fix

Configure Maximum size of post data settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. 2. Set "Maximum size of post data settings" to the required amount. 3. Select "Submit Changes".

b

ColdFusion must limit the request throttle memory.

SC-5 - Medium - CCI-002385 - V-279088 - SV-279088r1171038_rule

RMF Control

SC-5

Severity

M

CCI

Version

APAS-CF-000820

Vuln IDs

V-279088

Rule IDs

SV-279088r1171038_rule

Limiting the request throttle memory is essential to prevent resource exhaustion and potential denial-of-service (DoS) attacks. Without a limit, an excessive number of large requests can overwhelm the server, consuming memory and other resources, leading to performance degradation or crashes. Any requests made above the throttle threshold are considered throttled and cumulatively their total request size cannot be above the throttle memory setting. Any throttled requests made while insufficient throttle memory remaining will be queued. Any requests larger than the throttle memory will be rejected. By setting a request throttle memory limit, the server can manage its resources more effectively, ensuring that it remains responsive and available to handle client requests efficiently.

Checks: C-83636r1171036_chk

Verify Request Throttle Memory settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. 2. Interview the administrator to determine what the maximum post data size is required for the hosted applications. If the "Request Throttle Memory" is not set to a 10 to 25 times multiple of the larger of "Request Throttle Threshold" or the maximum request size, this is a finding.

Fix: F-83541r1171037_fix

Configure Maximum Request Throttle Memory settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. 2. Set "Request Throttle Memory" to the required amount. 3. Select "Submit Changes".

b

ColdFusion must set an organization defined maximum number of cached templates.

SC-5 - Medium - CCI-002385 - V-279089 - SV-279089r1171580_rule

RMF Control

SC-5

Severity

M

CCI

Version

APAS-CF-000830

Vuln IDs

V-279089

Rule IDs

SV-279089r1171580_rule

Setting an appropriate maximum number of cached templates is crucial to balance server performance and resource usage. If the limit is set too low, it can lead to frequent cache misses, causing the server to regenerate templates more often, which can degrade performance. Conversely, if the limit is set too high, it can consume excessive memory, leading to resource exhaustion and potential denial-of-service (DoS) attacks. By configuring a balanced limit, the server can efficiently manage cached templates, ensuring optimal performance and availability. Satisfies: SRG-APP-000435-AS-000163, SRG-APP-000516-AS-000237

Checks: C-83637r1171579_chk

Verify Caching settings. From the Admin Console Landing Screen, navigate to Server Settings >> Caching. If the "Maximum number of cached templates" is not set to a number between 256 and 4096, this is a finding. If the trusted cache is not enabled, this is a finding.

Fix: F-83542r1171040_fix

Configure Caching settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Caching. 2. Set "Maximum number of cached templates" to a number between 256 and 4096. 3. Check the checkbox for "Trusted Cache". 4. Select "Submit Changes".

b

ColdFusion must set an organization defined maximum JVM heap size.

SC-5 - Medium - CCI-002385 - V-279090 - SV-279090r1171582_rule

RMF Control

SC-5

Severity

M

CCI

Version

APAS-CF-000835

Vuln IDs

V-279090

Rule IDs

SV-279090r1171582_rule

Setting an appropriate maximum JVM heap size is crucial to balance server performance and resource usage. If the heap size is set too low, it can lead to frequent garbage collection, which can degrade performance. Conversely, if the heap size is set too high, it can consume excessive memory, leading to resource exhaustion and potential denial-of-service (DoS) attacks. By configuring a balanced maximum JVM heap size, the server can efficiently manage memory, ensuring optimal performance and availability.

Checks: C-83638r1171581_chk

Verify JVM Arguments heap size. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM. If the "Maximum JVM Heap Size (in MB)" is not set to the required amount, this is a finding.

Fix: F-83543r1171043_fix

Configure JVM Arguments heap size. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM. 2. Set "Maximum JVM Heap Size (in MB)" to the appropriate amount. 3. Select "Submit Changes".

b

ColdFusion must set a nonzero timeout for web services.

SC-5 - Medium - CCI-002385 - V-279091 - SV-279091r1171452_rule

RMF Control

SC-5

Severity

M

CCI

Version

APAS-CF-000845

Vuln IDs

V-279091

Rule IDs

SV-279091r1171452_rule

Setting a nonzero timeout for web services is crucial to prevent indefinite waiting periods that can lead to resource exhaustion and potential denial-of-service (DoS) attacks. Without a timeout, web services may hang indefinitely, consuming server resources and potentially causing ColdFusion to become unresponsive. By configuring a nonzero timeout, the server can terminate stalled web service requests, ensuring that resources are freed up and the server remains available to handle new requests efficiently.

Checks: C-83639r1171450_chk

Verify web services timeout. 1. From the Admin Console Landing Screen, navigate to Data & Services >> Web Services. 2. For each Active ColdFusion Web Services: a. Click "Edit". b. Review the "Timeout" for each of the "Active ColdFusion Web Services" entries. If any of the timeout values are set to 0, this is a finding.

Fix: F-83544r1171451_fix

Configure web services timeout. 1. From the Admin Console Landing Screen, navigate to Data & Services >> Web Services. 2. For each Active ColdFusion Web Services: a. Click "Edit". b. Set the "Timeout" setting to a duration appropriate for the service. c. Select "Update Web Service".

c

JVM Arguments must be configured for Transport Layer Security (TLS) 1.2 or higher.

SC-8 - High - CCI-002418 - V-279092 - SV-279092r1171584_rule

RMF Control

SC-8

Severity

H

CCI

CCI-002418

Version

APAS-CF-000860

Vuln IDs

V-279092

Rule IDs

SV-279092r1171584_rule

Preventing the disclosure of transmitted information requires that ColdFusion take measures to employ some form of cryptographic mechanism to protect the information during transmission. This is usually achieved TLS. TLS must be enabled, and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. ColdFusion uses JVM to control the encryption of transmitted data. Settings for JVM can be controlled within the Administrator Console to configure the JVM to only use FIPS 140-2/140-3 or higher approved TLS and disable non-FIPS SSL versions.

Checks: C-83640r1171583_chk

Verify JVM Arguments for TLS. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM. The parameter -Dhttps.protocols is used to set the TLS versions. Valid values for this setting must be TLS versions 1.2 or higher. Example: Dhttps.protocols=TLSv1.2,TLSv1.3 If the "JVM arguments" setting does not contain the parameter "Dhttps.protocols" or if the parameter "Dhttps.protocols" contains any unapproved protocols or versions, this is a finding.

Fix: F-83545r1171405_fix

Configure JVM Arguments for TLS. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM. 2. In Section JVM Arguments, add the parameter "-Dhttps.protocols" and set the parameter to the TLS versions to be used. Example: Dhttps.protocols=TLSv1.2,TLSv1.3 3. Select "Submit Changes". 4. Restart ColdFusion for the changes take effect.

c

ColdFusion must configure Lightweight Directory Access Protocol (LDAP) for Transport Layer Security (TLS).

SC-8 - High - CCI-002418 - V-279093 - SV-279093r1171053_rule

RMF Control

SC-8

Severity

H

CCI

CCI-002418

Version

APAS-CF-000875

Vuln IDs

V-279093

Rule IDs

SV-279093r1171053_rule

LDAP is commonly used for accessing and maintaining distributed directory information services. When LDAP authentication is performed without encryption, sensitive information such as usernames and passwords can be transmitted in clear text, making it vulnerable to interception and unauthorized access. By using TLS to secure LDAP authentication, the data transmitted between the client and the LDAP server is encrypted, ensuring the confidentiality and integrity of the authentication process. This practice helps protect against eavesdropping, man-in-the-middle attacks, and other security threats, thereby enhancing the overall security of the ColdFusion server and the applications it hosts. Regularly verifying and enforcing using TLS for LDAP authentication is essential for maintaining a secure server environment.

Checks: C-83641r1171051_chk

Verify LDAP is configured for TLS. 1. From the Admin Console Landing Screen, navigate to Security >> Administrator. 2. Click "Edit LDAP Configuration". If "SSL/TLS" is not enabled, this is a finding.

Fix: F-83546r1171052_fix

Configure LDAP for TLS. 1. From the Admin Console Landing Screen, navigate to Security >> Administrator. 2. Click "Edit LDAP Configuration". 3. Enable the "SSL/TLS" setting. 4. Select "Save". 5. Select "Submit Changes".

c

ColdFusion must remove all export ciphers to protect the confidentiality and integrity of transmitted information.

SC-8 - High - CCI-002418 - V-279094 - SV-279094r1171587_rule

RMF Control

SC-8

Severity

H

CCI

CCI-002418

Version

APAS-CF-000880

Vuln IDs

V-279094

Rule IDs

SV-279094r1171587_rule

Export ciphers have weak encryption algorithms that were originally designed to comply with outdated export regulations. These ciphers provide minimal security and can be easily broken by attackers, leading to potential data breaches and unauthorized access. By removing all export ciphers from the supported cipher suites, the ColdFusion server ensures that only strong, secure encryption algorithms are used for data transmission. This practice helps protect sensitive information from being intercepted and compromised, thereby enhancing the overall security of the server and the applications it hosts. Regularly reviewing and updating the cipher suites to exclude weak ciphers is essential for maintaining a secure server environment. Satisfies: SRG-APP-000439-AS-000274, SRG-APP-000014-AS-000009, SRG-APP-000179-AS-000129, SRG-APP-000439-AS-000155

Checks: C-83642r1171585_chk

Cipher Validation in server.xml: 1. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml. 2. Open the server.xml file in a text editor. 3. Identify all <Connector> elements that are actively handling traffic (i.e., not solely configured to redirect to a secure port). 4. Verify each <Connector> element includes either a ciphers attribute or an embedded <SSLHostConfig> element with a ciphers setting. If the ciphers setting is not present, this is a finding. 5. If the ciphers are present, compare them to the list of approved ciphers found in: NIST SP 800-52 Revision 2, Section 3.3.1.1. If any unapproved or insecure ciphers are configured, this is a finding. 6. Verify the protocols attribute is configured and using only approved secure protocols (e.g., TLS 1.2 or 1.3). If the protocols attribute is not configured to use approved secure protocols (e.g., TLS 1.2 or 1.3), this is a finding.

Fix: F-83547r1171586_fix

Secure Cipher and Protocol Configuration in server.xml: 1. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml. 2. Before making changes, back up the file to prevent accidental misconfiguration. 3. Open server.xml in a text editor with administrative privileges. 4. Locate each <Connector> element that handles secure traffic (i.e., has SSLEnabled="true" and is not just a redirect). 5. If the <Connector> does not contain a ciphers attribute or an <SSLHostConfig> block with ciphers, add one. 6. Specify only ciphers approved by NIST SP 800-52 Revision 2, Section 3.3.1.1. Example Configuration: <Connector port="8443" maxThreads="150" SSLEnabled="true" scheme="https" SSLEnabled="true"> <SSLHostConfig protocols="TLSv1.2,TLSv1.3" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"> <Certificate certificateKeystoreFile="conf/keystore.jks" certificateKeystorePassword="<password>" type="RSA"/> </SSLHostConfig> </Connector> Note: Replace the example cipher list with the exact approved list relevant to the system and policy. 7. Ensure only secure protocols are used (TLS 1.2 or 1.3). 8. Remove or disable any deprecated protocols such as SSLv3, TLS 1.0, or TLS 1.1. 9. Save and close the file. 10. Restart ColdFusion to apply changes.

c

JVM arguments must be configured to use approved cryptographic mechanisms to protect data in transit.

SC-8 - High - CCI-002421 - V-279095 - SV-279095r1171617_rule

RMF Control

SC-8

Severity

H

CCI

CCI-002421

Version

APAS-CF-000885

Vuln IDs

V-279095

Rule IDs

SV-279095r1171617_rule

ColdFusion uses the underlying JVM to handle transmission and receiving data, but ColdFusion does offer the programmer an encrypt API call to protect the data. This call can use multiple crypto methods but using FIPS 140-2/140-3 or higher is superior to those non-FIPS crypto methods to protect and detect changes to the data. Through JVM arguments set within ColdFusion, the programmer can be forced to use only FIPS crypto methods.

Checks: C-83643r1171313_chk

Verify JVM Arguments for Crypto. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM. If the JVM argument contains "-Dcoldfusion.enablefipscrypto=false" or "-Dcoldfusion.enablefipscrypto" is missing, this is a finding. 2. Observe the ColdFusion edition at the top of the Administrator Console. If the edition is "Standard", this is a finding.

Fix: F-83548r1171058_fix

Configure JVM Arguments for Crypto. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM. 2. Amend JVM arguments with "-Dcoldfusion.enablefipscrypto=true". 3. Click "Submit Changes". 4. If not using Enterprise Edition or cryptographic mechanisms are not available, reinstall with Enterprise Edition.

b

ColdFusion must encrypt patch retrieval.

SC-8 - Medium - CCI-002421 - V-279096 - SV-279096r1171589_rule

RMF Control

SC-8

Severity

M

CCI

CCI-002421

Version

APAS-CF-000890

Vuln IDs

V-279096

Rule IDs

SV-279096r1171589_rule

Checking for patches and downloading those patches for installation must be done through an encrypted connection to protect the patch from modification during transmission and to avoid spoofed updates.

Checks: C-83644r1171409_chk

Verify that patch retrieval is performed securely, whether automated or manual. If the Administrator Console is not used to retrieve patches, proceed to Step 2. 1. From the Admin Console Landing Screen, navigate to Package Manager >> Settings. 2. Review the Site URL fields for Update Site and Packages Site. Verify that all URLs are prefixed with "https://". If any URL is not prefixed with "https://", this is a finding. 3. If patches are retrieved manually, verify there is documented guidance describing the process. 4. Confirm the documented process requires using an encrypted method to download patches, such as VPN tunneling, Secure Copy (SCP), or equivalent secure protocols. If no documented process exists, or if the process does not require an encrypted method, this is a finding.

Fix: F-83549r1171588_fix

If the Administrator Console is used for patch retrieval: 1. From the Admin Console Landing Screen, navigate to Package Manager >> Settings. 2. Locate the Site URL fields for "Update Site" and "Packages Site". 3. Update each URL to ensure it is prefixed with "https://" so communication is encrypted. 4. Select "Submit Changes". If a manual process is used to retrieve patches: 1. Develop and maintain documented procedures describing the manual patch retrieval process. 2. Ensure the process specifies using an encrypted method for downloading patches (e.g., VPN tunneling, SCP, or equivalent secure protocols).

b

ColdFusion must ensure that ColdFusion Package Manager (cfpm) packages are transmitted using encrypted protocols.

SC-8 - Medium - CCI-002421 - V-279097 - SV-279097r1171591_rule

RMF Control

SC-8

Severity

M

CCI

CCI-002421

Version

APAS-CF-000895

Vuln IDs

V-279097

Rule IDs

SV-279097r1171591_rule

The cfpm is used to manage various packages and modules that extend the functionality of the ColdFusion server. If these packages are downloaded or transmitted over unencrypted channels, they are susceptible to interception and tampering by malicious actors. This can lead to the introduction of malicious code, unauthorized access, and other security breaches. By ensuring that cfpm packages are transmitted using encrypted protocols, such as HTTPS, the integrity and confidentiality of the packages are maintained. This practice helps protect the server from potential threats and ensures that only trusted and verified packages are installed.

Checks: C-83645r1171590_chk

Verify Package Manager Settings. From the Admin Console Landing Screen, navigate to Package Manager >> Settings. If any Site URL is configured with an "HTTP" , this is a finding.

Fix: F-83550r1171064_fix

Configure Package Manager Settings. 1. From the Admin Console Landing Screen, navigate to Package Manager >> Settings. 2. Enter an "HTTPS" entry into each of the Site URL fields. 3. Select "Submit Changes".

b

The ColdFusion administrator must be using HTTPS to maintain the confidentiality and integrity of information during reception.

SC-8 - Medium - CCI-002422 - V-279098 - SV-279098r1172830_rule

RMF Control

SC-8

Severity

M

CCI

CCI-002422

Version

APAS-CF-000910

Vuln IDs

V-279098

Rule IDs

SV-279098r1172830_rule

Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. ColdFusion must use approved encryption when receiving transmitted data by configuring the Tomcat Connector to use HTTPS.

Checks: C-83646r1172828_chk

Verify HTTPS. 1. Locate the server.xml file for each ColdFusion instance located at: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\ 2. Open the server.xml file in a text editor. 3. Locate all <Connector> elements configured with an HTTP protocol (e.g., protocol="org.apache.coyote.http11.Http11Protocol" or Http11NioProtocol). If any HTTP connector exists without SSLEnabled="true" and is not commented out (), this is a finding. If there is no active (uncommented) <Connector> configured with SSLEnabled="true", scheme="https", and secure="true", this is a finding.

Fix: F-83551r1172829_fix

Configure ColdFusion to use HTTPS and disable unsecured HTTP access. 1. Locate the server.xml file for each ColdFusion instance located at: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\ 2. Open the server.xml file in a text editor. 3. Locate all <Connector> elements using the HTTP protocol (e.g., protocol="org.apache.coyote.http11.Http11Protocol" or Http11NioProtocol) without the attribute SSLEnabled="true" 4. Either delete these unsecured <Connector> tags or comment them out using XML syntax:  5. Locate a <Connector> tag that includes SSLEnabled="true" and is configured to support HTTPS communication. 6. If this tag is present but commented out, uncomment it by removing the  markers. 7. If a secure HTTPS connector does not exist, create a new <Connector> tag within the <Service> element of the server.xml file. It should include the following attributes: <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" keystoreFile="/path/to/keystore" keystorePass="changeit"/> 8. Replace /path/to/keystore with the actual path to the keystore file. 9. Replace "changeit" with the actual password for the keystore. 10. Save the file and restart ColdFusion for the changes to take effect.

b

ColdFusion Backup Directory must be deleted.

SI-2 - Medium - CCI-002617 - V-279099 - SV-279099r1172837_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002617

Version

APAS-CF-000930

Vuln IDs

V-279099

Rule IDs

SV-279099r1172837_rule

Installation of patches and updates is performed when there are errors or security vulnerabilities in the current release of the software. When previous versions of software components are not removed from ColdFusion after updates have been installed, an attacker may use the older components to exploit the system. ColdFusion creates a backup directory for an update when installed. This backup directory allows the system administrator (SA) to uninstall the update if an error occurs or incompatibility is found with the hosted applications. Once the update is tested and found to work correctly, the backup directory must be removed so that the update cannot be uninstalled.

Checks: C-83647r1171592_chk

Verify Update Backup Directory has been deleted. Navigate to C:\ColdFusion2023\cfusion\hf-updates. If any backup directories exist in the "hf-updates" folder, this is a finding. Note: Do not remove the backup directory for an update until the update has been tested and verified that the ColdFusion server is operating correctly.

Fix: F-83552r1172836_fix

Remove Update Backups. 1. Navigate to C:\ColdFusion2023\cfusion\hf-updates. 2. Remove any backups from hf-updates.

b

ColdFusion must be set to automatically check for updates.

SI-2 - Medium - CCI-002605 - V-279100 - SV-279100r1171595_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002605

Version

APAS-CF-000935

Vuln IDs

V-279100

Rule IDs

SV-279100r1171595_rule

Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. To configure the software to discover that a new patch is available is important since administrators may be responsible for multiple servers running different applications and services, making it difficult for the administrator to constantly check for updates. Enabling the automatic check informs the administrator, allows him to investigate the patch and what is needed to apply the patch and schedule any outages that might be needed, thereby permitting the patch to be installed quickly and efficiently.

Checks: C-83648r1171594_chk

Verify the ColdFusion server is configured to check for updates, either automatically or through a documented manual process. 1. Confirm whether the ColdFusion server has access to either the Adobe patch repository or an internally maintained patch repository. This can be verified by interviewing the system administrator (SA) or reviewing ColdFusion baseline documentation. 2. If the server has access to a patch repository, from the Admin Console Landing Screen, navigate to Package Manager >> Settings. 3. Verify "Automatically Check for Updates" is enabled (checked). If the server has access to a patch repository and "Automatically Check for Updates" is not enabled, this is a finding. 4. If the server does not have access to a patch repository, confirm that a documented manual process exists for checking and retrieving updates. The documented process must specify where to obtain updates, and how often updates are to be checked. If no documented process exists, or if the process does not include both location and frequency, this is a finding.

Fix: F-83553r1171417_fix

Configure ColdFusion to check for updates. 1. If the ColdFusion server has access to a patch repository: a. From the Admin Console Landing Screen, navigate to Package Manager >> Settings. b. Enable the "Automatically Check for Updates" option by checking the box. c. Save the configuration. 2. If the ColdFusion server does not have access to a patch repository: a. Develop and maintain documented procedures describing the manual update process. b. Ensure the documentation includes the location where patches and updates will be obtained (e.g., Adobe website, internal repository) and the frequency with which updates will be checked (e.g., weekly, monthly).

b

ColdFusion must have notifications enabled when a server update is available.

SI-2 - Medium - CCI-002605 - V-279101 - SV-279101r1171077_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002605

Version

APAS-CF-000940

Vuln IDs

V-279101

Rule IDs

SV-279101r1171077_rule

Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. To configure the software to discover that a new patch is available is important since administrators may be responsible for multiple servers running different applications and services, making it difficult for the administrator to constantly check for updates. Enabling the automatic check informs the administrator, allows him to investigate the patch and what is needed to apply the patch and schedule any outages that might be needed, thereby permitting the patch to be installed quickly and efficiently. Having "Check for updates every" checked causes ColdFusion to look for updates every set number of days. Entering a list of email addresses to notify guarantees a notification is sent to the administrator.

Checks: C-83649r1171075_chk

Verify that the ColdFusion server is configured to notify administrators when updates are available, either automatically or through a documented manual process. 1. Confirm whether the ColdFusion server has access to either the Adobe patch repository or an internally maintained patch repository. This can be verified by interviewing the system administrator or reviewing ColdFusion baseline documentation. 2. If the server has access to a patch repository, from the Admin Console Landing Screen, navigate to Package Manager >> Settings. 3. Verify the following settings: - "Check for updates every" is enabled (checked). - A positive integer value (1 or greater) is entered for days. - At least one valid email address is entered in "If updates are available, send email notification to" field. If any of these conditions are not met, this is a finding. 4. If the server does NOT have access to a patch repository, verify that a documented notification process exists describing how administrators are informed of available patches. Administrators are enrolled in the Adobe automated patch notification service. 5. To confirm enrollment, request a verification email or a recent patch notification email from Adobe. If no documented notification process exists, or administrators are not enrolled in Adobe's notification service, this is a finding.

Fix: F-83554r1171076_fix

If the ColdFusion server has access to a patch repository: 1. From the Admin Console Landing Screen, navigate to Package Manager >> Settings. 2. Enable "Check for updates every" by checking the box. 3. Enter a value greater than 0 in the "Days" field to define the update check interval. 4. Enter at least one valid email address in the "If updates are available, send email notification to" field. 5. Click "Submit Changes" to save the configuration. If the ColdFusion server does NOT have access to a patch repository: 1. Develop and maintain documented procedures describing how update notifications will be received. 2. Enroll all administrators in the Adobe automated patch notification service. 3. Retain a copy of the verification or confirmation email demonstrating enrollment.

b

Installed versions of ColdFusion must be supported by the vendor.

CM-6 - Medium - CCI-000366 - V-279102 - SV-279102r1171420_rule

RMF Control

CM-6

Severity

M

CCI

Version

APAS-CF-000995

Vuln IDs

V-279102

Rule IDs

SV-279102r1171420_rule

Running unsupported versions of ColdFusion introduces significant risk to the security and stability of the application environment. Unsupported software no longer receives security patches, bug fixes, or vendor support, leaving known vulnerabilities unaddressed and exploitable by threat actors. These versions may contain flaws that have been publicly disclosed and weaponized, making them an easy target for attackers. Continuing to use obsolete ColdFusion versions increases the risk of system compromise, data exposure, and unauthorized access to application resources. Ensuring that only supported and maintained versions of ColdFusion are deployed allows the organization to receive timely updates, apply critical patches, and maintain compliance with DOD security requirements. Removing or upgrading unsupported instances helps reduce the attack surface, mitigate vulnerabilities, and ensure ColdFusion processes operate securely and reliably.

Checks: C-83650r1171078_chk

Verify the ColdFusion version. 1. Open the ColdFusion Administrator Console. 2. Identify the version of ColdFusion currently installed (displayed in the upper-right system information icon). 3. Navigate to Adobe's official "Product and technical support periods" page: https://helpx.adobe.com/support/programs/eol-matrix.html 4. Locate the ColdFusion product version in the matrix and review the listed "End of Core Support" and/or "End of Extended Support" dates. If the version of ColdFusion in use has passed its support period (core or extended), this is a finding.

Fix: F-83555r1171419_fix

Upgrade ColdFusion to a supported version or uninstall the application. All upgrade or uninstall actions must be executed in accordance with an approved application management plan.

b

ColdFusion must execute as a nonprivileged user.

CM-6 - Medium - CCI-000366 - V-279103 - SV-279103r1171485_rule

RMF Control

CM-6

Severity

M

CCI

Version

APAS-CF-001010

Vuln IDs

V-279103

Rule IDs

SV-279103r1171485_rule

Privileged user accounts are accounts that have access to all the system resources. These accounts are reserved for administrative users and applications that have a need for such unfettered access. Because ColdFusion does not need to run with access to all the system resources, the ColdFusion services must be set up to execute as unprivileged users. This protects server resources, OS hosted applications, and organization resources should the ColdFusion application server become compromised.

Checks: C-83651r1171457_chk

1. For ColdFusion running on Windows, run the snap-in services.msc. a. Locate the ColdFusion section of services. b. Right-click on each ColdFusion service and select "Properties". c. Select the "Log On" tab. If any service has "Local System account" selected, this is a finding. 2. For each user account of the services that is a local account run the snap-in compmgmt.msc. a. Expand the "Local Users and Groups" in the left pane under "System Tools" to view the "Users" and "Groups" folders. b. Select the "Users" folder and the users will be listed in the right pane. c. Right-click a user that runs a ColdFusion service. d. Select "Properties" on the menu. e. Select the "Member Of" tab. If any groups are listed, this is a finding. 3. Click on the "Remote Desktop Services Profile" tab. If the "Deny this user permissions to log on to Remote Desktop Session Host server" is not checked, this is a finding. 4. For each user account of the services that is a domain account, review the groups for each user account on the domain controller. If any groups are listed, this is a finding. 5. For ColdFusion running on Linux: a. Change to the bin directory in the ColdFusion instance directory. b. Execute the command: grep -i -m 1 runtime_user sysinit c. The user being used to execute ColdFusion will be listed. d. View the user within the /etc/passwd file. e. Make note of the user id and group id. For example, if the line in the passwd file is cfuser:x:500:501:ColdFusion:/home/cfuser:/sbin/nologin, the user id is 500 and the group id is 501. If the user id or the group id is set to 0, this is a finding.

Fix: F-83556r1171484_fix

For ColdFusion running on Windows: 1. Create a user for the ColdFusion services locally by running the snap-in compmgmt.msc or on the domain controller. 2. Follow any organization specific policies in place and Windows STIGs for password complexity, usernames, etc. Remove all groups and ensure the user account does not have permission to connect via Remote Desktop. 3. Run the snap-in services.msc. 4. Locate the ColdFusion services. 5. Right-click on a ColdFusion service and select "Properties". 6. Select the "Log On" tab. 7. Click on the "This account:" radio button. 8. Enter the username and password for the user account that was just created. 9. Select "Ok" to save the changes. 10. Repeat steps 3 through 9 for each ColdFusion service. ColdFusion running on Linux: 1. Create a group for the user account that will run the ColdFusion service by executing the command groupadd. For example, if the group being created is webusers, the command would be "groupadd webusers". 2. Create the user account for the service by executing the command useradd. For example, if the user being created is cfuser without creating a home directory, the command would be "useradd -M cfuser". 3. Lock the user account so that it cannot be used to log in by executing the command usermod. For example, to lock user cfuser, the command would be "usermod -L cfuser". 4. Add the user account to the group by executing the command usermod. For example, to add cfuser to the group webusers, the command would be "usermod -G webusers cfuser". 5. Change to the bin directory in the ColdFusion instance directory. 6. Edit the sysinit file. 7. Locate the text "RUNTIME_USER= within sysinit". 8. Update the user account being used to run the ColdFusion service.

b

The ColdFusion Root Administrator account must have a unique username.

CM-6 - Medium - CCI-000366 - V-279104 - SV-279104r1171486_rule

RMF Control

CM-6

Severity

M

CCI

Version

APAS-CF-001015

Vuln IDs

V-279104

Rule IDs

SV-279104r1171486_rule

The ColdFusion Root Administrator account is an administrative account setup during the installation process. This account has privileges to view, update and delete data within the entire ColdFusion Administrator Console. The account is meant to be used to set up ColdFusion after installation but should only be used in emergency situations once user accounts are created. The account is similar to the Administrator account in Windows or the root account in Linux. To help protect the account, the account username should not be admin or administrator. If set up with these usernames, an attacker already knows 50 percent of the information needed to gain access. A unique and not easily guessable username must be used to hinder the discovery of the account credentials.

Checks: C-83652r1171423_chk

Verify that the ColdFusion Root Administrator username is not set to a default or easily guessable value such as "admin" or "administrator" (in any case variation). 1. Locate the neo-security.xml file. The file is typically located in the "lib" folder under the ColdFusion instance directory. 2. For ColdFusion on Windows: a. Open neo-security.xml in Notepad. Right-click the file and choose "Open With Notepad". Tip: Enable Word Wrap under the "Format" menu for easier reading. b. Navigate to Edit >> Find and search for: 'admin.userid.root'> c. Locate the <string> element immediately following this tag. <var name='admin.userid.root'><string>Administrator</string></var> 3. For ColdFusion on Linux: a. Navigate to the directory containing neo-security.xml. b. Run the following command to extract the relevant tag: grep -ohE "'admin.userid.root'><string>[^<]*</string>" neo-security.xml c. Note the username displayed between <string> and </string>. If the Root Administrator username is any uppercase or lowercase variation of "admin" or "administrator" (Examples: admin, Admin, ADmIN, admInistrAtor, Administrator, ADMINISTRATOR), this is a finding.

Fix: F-83557r1171424_fix

Change the Root Administrator username to a unique value that is not a variation of "admin" or "administrator". 1. Locate the neo-security.xml file. The file is typically located in the "lib" folder under the ColdFusion instance directory. 2. Make a backup copy of the file before making any modifications. 3. For ColdFusion running on Windows: a. Open neo-security.xml in Notepad. Right-click the file and choose "Open With Notepad". Tip: Enable Word Wrap under the "Format" menu for easier reading. b. Navigate to Edit >> Find and search for: 'admin.userid.root'> c. Locate the <string> element that contains the Root Administrator username: <var name='admin.userid.root'><string>Administrator</string></var> d. Replace the existing username with a unique name that is not any case variation of "admin" or "administrator". e. Save the file. f. Restart ColdFusion for the changes to take effect. 4. For ColdFusion running on Linux: a. Navigate to the directory containing neo-security.xml. b. Open the file neo-security.xml in a preferred text editor (e.g., nano, vim). c. Locate the <var name='admin.userid.root'> tag: The username appears between the <string> and </string> tags Example: <var name='admin.userid.root'><string>Administrator</string></var> d. Replace the existing username with a unique name that is not any case variation of "admin" or "administrator". e. Save the file. f. Restart ColdFusion to apply the changes. 5. Validate that the new username is being used and that the system is operating properly. 6. Once validated, securely delete the backup neo-security.xml file created earlier.

b

ColdFusion must protect newly created objects.

CM-6 - Medium - CCI-000366 - V-279105 - SV-279105r1171428_rule

RMF Control

CM-6

Severity

M

CCI

Version

APAS-CF-001020

Vuln IDs

V-279105

Rule IDs

SV-279105r1171428_rule

During operation, ColdFusion may create objects such as files to store parameters or log data, or pipes to share data between objects. When the objects are created, it is important that the newly created object has the correct permissions. This can be performed by assigning the proper umask value to the running process. For the ColdFusion service, the umask must be set to 007 or more restrictive.

Checks: C-83653r1171426_chk

For ColdFusion running on Windows, this finding is not applicable. ColdFusion running on Linux: 1. Locate the file "sysinit" in the bin directory under the ColdFusion instance directory. For example, the file could be found at \opt\coldfusion2023\cfusion\bin\sysinit, if the ColdFusion instance directory was \opt\coldfusion2023\cfusion. 2. Edit the "sysinit" file. 3. Locate the umask setting. It must be located near the top of the file, but below the #description comment. If the umask is not set to 007 or more restrictive, this is a finding.

Fix: F-83558r1171427_fix

For ColdFusion running on Windows, this finding is not applicable. ColdFusion running on Linux: 1. Locate the file "sysinit" in the bin directory under the ColdFusion instance directory. For example, the file could be found at \opt\coldfusion2023\cfusion\bin\sysinit, if the ColdFusion instance directory was \opt\coldfusion2023\cfusion. 2. Edit the "sysinit" file. 3. Locate the umask setting. It must be located near the top of the file, but below the #description comment. 4. Set umask setting to 007 or more restrictive. 5. Save and close the file.

b

ColdFusion must be configured to set the cookie settings.

CM-6 - Medium - CCI-000366 - V-279106 - SV-279106r1171597_rule

RMF Control

CM-6

Severity

M

CCI

Version

APAS-CF-001030

Vuln IDs

V-279106

Rule IDs

SV-279106r1171597_rule

Cookies are often used to maintain user sessions in web applications. However, if cookies are not properly managed, they can pose a security risk. Persistent cookies that do not expire when the browser is closed can be exploited by attackers to gain unauthorized access to user sessions. By setting the cookie timeout to -1, ColdFusion ensures that cookies are only valid for the duration of the browser session. This means that when the user closes their browser, the session cookies are automatically deleted, reducing the risk of session hijacking and unauthorized access. In ColdFusion, administrators can configure the cookie timeout to -1 to enforce browser-session-based cookies. This setting enhances the security of the application by ensuring that user sessions are terminated when the browser is closed, thereby preventing potential security breaches. Satisfies: SRG-APP-000516-AS-000237, SRG-APP-000141-AS-000095, SRG-APP-000439-AS-000155, SRG-APP-000441-AS-000258

Checks: C-83654r1171596_chk

Verify Session Cookie Settings. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables >> Session Cookie Settings. If the Cookie Timeout is not set to "-1", this is a finding. If "Disable updating ColdFusion internal cookies using ColdFusion tags/functions" is not checked, this is a finding. If the "Cookie Samesite default value" is not set to "Lax" or "Strict" for a default value, this is a finding.

Fix: F-83559r1171318_fix

Configure Session Cookie Settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables >> Session Cookie Settings. 2. If the Cookie Timeout is not set to -1, update the setting to -1 to ensure session cookies do not expire prematurely. 3. If "Disable updating ColdFusion internal cookies using ColdFusion tags/functions." is not checked, enable this setting to prevent unauthorized modification of internal cookies. 4. If the "Cookie Samesite default value" is not set to "Lax" or "Strict", configure it to one of these values to enhance security against cross-site request forgery (CSRF) attacks. 5. Select "Submit Changes".

b

ColdFusion must be configured to enable Cross-Origin Resource Sharing (CORS) to allow mobile applications to access resources from different origins securely.

CM-6 - Medium - CCI-000366 - V-279107 - SV-279107r1171430_rule

RMF Control

CM-6

Severity

M

CCI

Version

APAS-CF-001055

Vuln IDs

V-279107

Rule IDs

SV-279107r1171430_rule

CORS is a security feature implemented by web browsers to prevent web pages from making requests to a different domain than the one that served the web page. However, mobile applications often need to access resources from different origins. Enabling CORS allows the server to specify which origins are permitted to access its resources, thereby ensuring secure communication between the mobile application and the server. In ColdFusion, administrators can configure ColdFusion to enable CORS by specifying the allowed origins, methods, and headers. This setting enhances the security of the application by ensuring that only trusted origins can access the server's resources, thereby preventing unauthorized access and data breaches. Satisfies: SRG-APP-000516-AS-000237, SRG-APP-000141-AS-000095

Checks: C-83655r1171429_chk

Validate Mobile Services settings. 1. Ask the administrator if ColdFusion Mobile services are being used by any hosted applications. If hosted applications are using the service, this is not a finding. 2. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. If "Enable mobile's server workflow" is checked, this is a finding. 3. Review the "Enable CORS" setting. If CORS is not enabled, this is a finding. 4. Review the "Mobile server context" setting. If the mobile server context is set to "cfmobile", this is a finding.

Fix: F-83560r1171094_fix

Configure Mobile Services settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. 2. Uncheck "Enable mobile's server workflow" if it is checked. 3. Enable CORS to address this finding if it is not already enabled. 4. Update the mobile server context to a value other than "cfmobile" if it is currently set to "cfmobile". 5. Select "Submit Changes".

b

ColdFusion must be configured to set the HTTPOnly attribute on session cookies to prevent client-side scripts from accessing the cookies.

CM-6 - Medium - CCI-000366 - V-279108 - SV-279108r1171098_rule

RMF Control

CM-6

Severity

M

CCI

Version

APAS-CF-001070

Vuln IDs

V-279108

Rule IDs

SV-279108r1171098_rule

Session cookies are critical for maintaining user sessions in web applications. However, if these cookies are accessible to client-side scripts, they can be exploited by attackers through cross-site scripting (XSS) attacks. By setting the HTTPOnly attribute on session cookies, ColdFusion ensures that these cookies are not accessible to client-side scripts, thereby mitigating the risk of XSS attacks. This configuration enhances the security of the application by preventing unauthorized access to session cookies and protecting sensitive user information.

Checks: C-83656r1171096_chk

Verify Session Cookie setting "HTTPOnly". 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables. 2. Locate the options labeled "Session Cookie Settings". If "HTTPOnly" setting is not enabled (checked) for session cookies, this is a finding.

Fix: F-83561r1171097_fix

Configure Session Cookie setting. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables. 2. Locate the options labeled "Session Cookie Settings". 3. Enable (check) the"HTTPOnly" option. 4. Select "Submit Changes".

b

ColdFusion must be configured to set the Secure attribute on session cookies to ensure that cookies are only transmitted over secure HTTPS connections.

CM-6 - Medium - CCI-000366 - V-279109 - SV-279109r1171101_rule

RMF Control

CM-6

Severity

M

CCI

Version

APAS-CF-001075

Vuln IDs

V-279109

Rule IDs

SV-279109r1171101_rule

Session cookies are often transmitted over the network, and if they are not protected, they can be intercepted by attackers. By enabling the Secure attribute on session cookies, ColdFusion ensures that these cookies are only transmitted over secure HTTPS connections. This configuration helps protect the confidentiality and integrity of session cookies during transmission, reducing the risk of session hijacking and unauthorized access. Enabling the Secure attribute is a critical security measure to ensure that session cookies are not exposed to potential attackers.

Checks: C-83657r1171099_chk

Verify Session Cookie " Secure Cookie" setting. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables. 2. Locate the options labeled "Session Cookie Settings". If "Secure Cookie" setting is not enabled (checked) for session cookies, this is a finding.

Fix: F-83562r1171100_fix

Configure Session Cookie setting. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables. 2. Locate the options labeled "Session Cookie Settings". 3. Enable (check) the Secure Cookie option. 4. Select "Submit Changes".

b

ColdFusion must have the Java Runtime Environment (JRE) updated to the latest version.

CM-6 - Medium - CCI-000366 - V-279110 - SV-279110r1171432_rule

RMF Control

CM-6

Severity

M

CCI

Version

APAS-CF-001100

Vuln IDs

V-279110

Rule IDs

SV-279110r1171432_rule

The JRE is a critical component of the ColdFusion server, providing the necessary runtime environment for executing Java applications. Keeping the JRE updated to the latest version is essential for maintaining the security and stability of the server. Outdated versions of the JRE may contain vulnerabilities that can be exploited by attackers to gain unauthorized access, execute arbitrary code, or cause denial of service. Regularly updating the JRE ensures that the server is protected against known vulnerabilities and benefits from the latest security enhancements and performance improvements.

Checks: C-83658r1171102_chk

Verify JRE. 1. From the Admin Console Landing Screen, navigate to the System Information page by clicking the "i" button on the right side of the top navbar. 2. Review the Java Version and verify it matches the latest version available. If the version is not the latest, this is a finding.

Fix: F-83563r1171431_fix

Install the latest version of the supported JRE. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM. 2. Change the "Java Virtual Machine Path" value to the folder with the latest JRE. 3. Select "Submit Changes". 4. Restart ColdFusion.

b

ColdFusion must have CFIDE blocked in the uriworkermap.properties file.

CM-6 - Medium - CCI-000366 - V-279111 - SV-279111r1171107_rule

RMF Control

CM-6

Severity

M

CCI