Adobe ColdFusion 11 Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2015-11-02

Updated At: 2018-09-23 01:26:06

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-76565r1_rule CF11-01-000001 CCI-000054 LOW ColdFusion must limit concurrent sessions to the Administrator Console. The ColdFusion Administrator Console is used to manage the ColdFusion application server. The console allows a user to configure settings used by hosted applications, maintain connections to external resources, review logs, etc. By disallowing concurren
    SV-76839r1_rule CF11-01-000004 CCI-001453 MEDIUM ColdFusion must use cryptography mechanisms to protect the integrity of data sent to the PDF Service. Protecting data being sent to the PDF Service for PDF document creation protects the data from being read or modified before the document is created and returned to the requesting application. This protection can be implemented by using https over the pl
    SV-76841r1_rule CF11-01-000005 CCI-001453 HIGH ColdFusion must implement cryptography mechanisms to protect the integrity of the remote access session. Protecting the data by not allowing unsecure non-FIPS 140-2 modules to be used and forcing FIPS 140-2 approved encryption modules limits the attack vector for an attacker. Several attacks, such as the POODLE attack and variants of the POODLE attack, take
    SV-76843r1_rule CF11-01-000007 CCI-000213 MEDIUM ColdFusion must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. Controlling what a user can see or change is important within the ColdFusion application server. Allowing non-privileged users to change administrative type data can cause errors within the system or DoS situations. By forcing users to identify themselv
    SV-76845r1_rule CF11-01-000010 CCI-002361 MEDIUM ColdFusion must automatically terminate a user session after user inactivity. An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a confi
    SV-76847r1_rule CF11-01-000011 CCI-002361 MEDIUM ColdFusion must set a maximum session time-out value. An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a confi
    SV-76849r1_rule CF11-01-000016 CCI-002314 MEDIUM ColdFusion must control remote access to the Administrator Console. Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. Automated monitoring and control of remote access ses
    SV-76851r1_rule CF11-01-000017 CCI-002314 MEDIUM ColdFusion must control remote access to Exposed Services. ColdFusion exposes many existing services as web services. These services, such as cfpdf, cfmail, and cfpop, can be accessed by users and applications written in other languages and technologies than ColdFusion CFML. To invoke the services, the client m
    SV-76853r1_rule CF11-01-000018 CCI-002314 MEDIUM ColdFusion must control user access to Exposed Services. ColdFusion exposes many existing services as web services. These services, such as cfpdf, cfmail and cfpop, can be accessed by users and applications written in other languages and technologies than ColdFusion CFML. To invoke the services, the client mu
    SV-76855r1_rule CF11-02-000030 CCI-000166 HIGH ColdFusion must require a username and password for access by each authorized user access. Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a
    SV-76857r1_rule CF11-02-000031 CCI-000166 MEDIUM ColdFusion must require each user to authenticate with a unique account. Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a
    SV-76859r1_rule CF11-02-000032 CCI-000174 MEDIUM When ColdFusion is configured in a clustered configuration, ColdFusion must be configured to write log records from the clustered system components into a system-wide log trail that can be correlated. Log generation and log records can be generated from various components within the application server. The list of logged events is the set of events for which logs are to be generated. This set of events is typically a subset of the list of all events fo
    SV-76861r1_rule CF11-02-000034 CCI-000171 MEDIUM ColdFusion must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which logable events are to be logged. ColdFusion utilizes role-based access controls in order to specify those individuals who are able to configure logable events. Allowing users other than the ISSM and appointed individuals access to turn logged events on or off allows a user to mask thei
    SV-76863r1_rule CF11-02-000040 CCI-000132 LOW ColdFusion must log scheduled tasks. Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the application serv
    SV-76865r1_rule CF11-02-000049 CCI-000162 MEDIUM The ColdFusion log information must be protected from any type of unauthorized read access through the Administrator Console. Allowing any user to view log messages provides information to individuals that may be used to compromise the system. This information may provide system design, user access/IP addresses, interconnected systems, and security settings such as encryption u
    SV-76867r1_rule CF11-02-000050 CCI-000162 MEDIUM The ColdFusion log information must be protected from any type of unauthorized read access by having file permissions set properly. Allowing any user to view log messages provides information to individuals that may be used to compromise the system. This information may provide system design, user access/IP addresses, interconnected systems, and security settings such as encryption u
    SV-76869r1_rule CF11-02-000051 CCI-000163 MEDIUM The ColdFusion log information must be protected from any type of unauthorized modification by having file permissions set properly. Allowing any user to modify log messages provides a method for an attacker to hide his attack and go unnoticed. Log modification also makes forensic investigation difficult, if not impossible, as the information needed to recreate the event is either del
    SV-76871r1_rule CF11-02-000052 CCI-000164 MEDIUM The ColdFusion log information must be protected from any type of unauthorized deletion through the Administrator Console. When a system is attacked, one of the tasks of the attacker is to cover his tracks by deleting log files or log data. This enables the attacker to go unnoticed and to make later forensic analysis of the attack difficult, if not impossible. To protect th
    SV-76873r1_rule CF11-02-000053 CCI-000164 MEDIUM The ColdFusion log information must be protected from any type of unauthorized deletion by having file permissions set properly. When a system is attacked, one of the tasks of the attacker is to cover his tracks by deleting log files or log data. This enables the attacker to go unnoticed and to make later forensic analysis of the attack difficult, if not impossible. To protect th
    SV-76875r1_rule CF11-02-000057 CCI-001348 MEDIUM ColdFusion must send log records to the operating system logging facility. Protection of log data includes assuring log data is not accidentally lost or deleted. By sending some of the log messages to the operating system logging facilities, these log messages become part of the OS log history, become part of the log review perf
    SV-76877r1_rule CF11-02-000064 CCI-001849 MEDIUM ColdFusion must allocate log record storage capacity in accordance with organization-defined log record storage requirements. The proper management of log records not only dictates proper archiving processes and procedures be established, it also requires allocating enough storage space to maintain the logs online for a defined period of time. If adequate online log storage cap
    SV-76879r1_rule CF11-02-000065 CCI-001851 MEDIUM ColdFusion log records must be off-loaded onto a different system or media from the system being logged. Information system logging capability is critical for accurate forensic analysis. Off-loading is a common process in information systems with limited log storage capacity. Centralized management of log records provides for efficiency in maintenance and
    SV-76881r1_rule CF11-02-000079 CCI-001851 MEDIUM ColdFusion logs must, at a minimum, be transferred simultaneously for interconnected systems and transferred weekly for standalone systems. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Protecting log data is important during a forensic investigation to ensure investigators can track and understand what may have occurred. ColdFusion doe
    SV-76883r1_rule CF11-02-000080 CCI-000162 MEDIUM The ColdFusion log information must be protected from any type of unauthorized read access by having file ownership set properly. Allowing any user to view log messages provides information to individuals that may be used to compromise the system. This information may provide system design, user access/IP addresses, interconnected systems, and security settings such as encryption u
    SV-76885r1_rule CF11-02-000081 CCI-000163 MEDIUM The ColdFusion log information must be protected from any type of unauthorized modification by having file ownership set properly. Allowing any user to modify log messages provides a method for an attacker to hide his attack and go unnoticed. Log modification also makes forensic investigation difficult, if not impossible, as the information needed to recreate the event is either del
    SV-76887r1_rule CF11-02-000082 CCI-000164 MEDIUM The ColdFusion log information must be protected from any type of unauthorized deletion by having file ownership set properly. When a system is attacked, one of the tasks of the attacker is to cover his tracks by deleting log files or log data. This enables the attacker to go unnoticed and to make later forensic analysis of the attack difficult, if not impossible. To protect th
    SV-76889r1_rule CF11-03-000091 CCI-001499 MEDIUM ColdFusion must limit applications from changing shared Java components. Application servers have the ability to specify that the hosted applications utilize shared libraries. Within ColdFusion, these shared libraries are often Java components along with server settings. By allowing programmers or attackers to write CFML cod
    SV-76891r1_rule CF11-03-000092 CCI-001499 MEDIUM ColdFusion must limit privileges, within the Administrator Console, to change the software resident within software libraries. Controlling the overall security posture of the server encompasses controlling the patches and versions of the software running within the production environment. Patches are installed to fix security and bug issues. Vendors will often supply a feature
    SV-76893r1_rule CF11-03-000093 CCI-001499 MEDIUM ColdFusion must protect software libraries from being changed by OS users. Controlling the overall security posture of the server encompasses controlling the patches and versions of the software running within the production environment. Patches are installed to fix security and bug issues. Vendors will often supply a feature
    SV-76895r1_rule CF11-03-000096 CCI-000381 MEDIUM ColdFusion must only allow approved file extensions. Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. One area of concern is the file types that can be includ
    SV-76897r1_rule CF11-03-000097 CCI-000381 HIGH ColdFusion must disable Flash Remoting support. Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Flash Remoting allows a Flash client to connect to the C
    SV-76899r1_rule CF11-03-000098 CCI-000381 MEDIUM ColdFusion must disable the In-Memory File System. Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. ColdFusion offers an in-memory file system. This featu
    SV-76901r1_rule CF11-03-000099 CCI-000381 MEDIUM ColdFusion must have Event Gateway Services disabled. Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Event Gateway Services are used to pass events from ext
    SV-76903r1_rule CF11-03-000100 CCI-000381 HIGH ColdFusion must have Remote Development Services (RDS) disabled. Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Remote Development Services (RDS) is used in a developm
    SV-76905r1_rule CF11-03-000101 CCI-000381 MEDIUM ColdFusion must have Remote Adobe LiveCycle Data Management access disabled. Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Remote Adobe LiveCycle Data Management access allows Li
    SV-76907r1_rule CF11-03-000102 CCI-000381 MEDIUM ColdFusion must have the WebSocket Service disabled. Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. The WebSocket Service is used to develop real-time appl
    SV-76909r1_rule CF11-03-000103 CCI-000381 MEDIUM ColdFusion must have example data sources removed. ColdFusion is installed with sample data services, gateway services, and collections. These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issu
    SV-76911r1_rule CF11-03-000104 CCI-000381 MEDIUM The ColdFusion built-in TomCat Web Server must be disabled. Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. The built-in TomCat Web Server is used to host the Admi
    SV-76913r1_rule CF11-03-000105 CCI-000381 HIGH ColdFusion must have Remote Inspection disabled. Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Remote Inspection is used to debug mobile applications
    SV-76915r1_rule CF11-03-000106 CCI-000381 MEDIUM ColdFusion must protect internal cookies from being updated by hosted applications. Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Allowing developers to override global session cookie s
    SV-76917r1_rule CF11-03-000107 CCI-000382 MEDIUM ColdFusion must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments. Some networking protocols may not meet organizational security requirements to protect data and components. ColdFusion may host a number of various features, such as the Administrator Console, data sources and various services. These features all run on
    SV-76919r1_rule CF11-03-000108 CCI-001813 MEDIUM ColdFusion must disable auto reloading of configuration files on file changes. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software and/or application server configuration can potentially have significant effects on the overall security of the system. Allowing ColdF
    SV-76921r1_rule CF11-03-000110 CCI-000366 MEDIUM The ColdFusion Root Administrator account must have a unique username. The ColdFusion Root Administrator account is an administrative account setup during the installation process. This account has privileges to view, update and delete data within the entire ColdFusion Administrator Console. The account is meant to be used
    SV-76923r1_rule CF11-03-000111 CCI-000366 MEDIUM ColdFusion must execute as a non-privileged user. Privileged user accounts are accounts that have access to all the system resources. These accounts are reserved for administrative users and applications that have a need for such unfettered access. Because ColdFusion does not need to run with access
    SV-76925r1_rule CF11-03-000112 CCI-000366 MEDIUM ColdFusion accounts with access to the Administrator Console must be approved. ColdFusion offers an Administrator Console that is used to setup ColdFusion. The console allows the administrator to setup user accounts, user privileges, logging, data sources, etc. These accounts, once setup, do not automatically lock after a set dura
    SV-76927r1_rule CF11-03-000113 CCI-000366 MEDIUM ColdFusion must protect newly created objects. During operation, ColdFusion may create objects such as files to store parameters or log data, or pipes to share data between objects. When the objects are created, it is important that the newly created object has the correct permissions. This can be p
    SV-76929r1_rule CF11-03-000114 CCI-000366 MEDIUM ColdFusion must have Sandbox Security enabled. Application isolation allows multiple applications to run on the same hosting operating system, web server and application server. Typical reasons to isolate applications are to separate different application user bases, data security levels, protect app
    SV-76931r1_rule CF11-03-000115 CCI-000366 MEDIUM ColdFusion must have Sandboxes defined for application execution. Application isolation allows multiple applications to run on the same hosting operating system, web server and application server. Typical reasons to isolate applications are to separate different application user bases, data security levels, protect app
    SV-76933r1_rule CF11-03-000116 CCI-000366 MEDIUM ColdFusion must have the Default ScriptSrc Directory set to a non-default value. The scripts directory contains common javascript code that may be used by the hosted applications. This code is offered to help the developer with common data controls and functions aiding in the quick development of applications. Unfortunately, this co
    SV-76935r1_rule CF11-03-000117 CCI-000366 HIGH ColdFusion must contain the most recent update. ColdFusion releases updates to ColdFusion 11 to add support, fix bugs and close security issues. Without the current update installed, the product may be unstable or become a target for an attacker who can take advantage of a known exploit. The updates,
    SV-76937r1_rule CF11-03-000118 CCI-000381 MEDIUM ColdFusion must have example collections removed. ColdFusion is installed with sample data services, gateway services, and collections. These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issu
    SV-76939r1_rule CF11-03-000119 CCI-000381 MEDIUM ColdFusion must have example gateway instances removed. ColdFusion is installed with sample data services, gateway services, and collections. These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issu
    SV-76941r1_rule CF11-04-000128 CCI-000770 MEDIUM ColdFusion must authenticate users individually. To assure individual accountability and prevent unauthorized access, application server users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone
    SV-76943r1_rule CF11-04-000129 CCI-001941 MEDIUM ColdFusion must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data. Application servers may provide a web services capability that could be leveraged to allow remote access to sensitive application data. Many web services utilize SOAP, which in turn utilizes XML and HTTP as a transport. Natively, SOAP does not provide s
    SV-76945r1_rule CF11-04-000133 CCI-000197 MEDIUM ColdFusion must transmit only encrypted representations of passwords for Flex Integration. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. ColdFusion offers RMI co
    SV-76947r1_rule CF11-04-000134 CCI-000197 MEDIUM The ColdFusion Administrator Console must transmit only encrypted representations of passwords. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. ColdFusion uses username
    SV-76949r1_rule CF11-04-000135 CCI-000197 MEDIUM ColdFusion must transmit only encrypted representations of passwords to the mail server. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. ColdFusion may use usern
    SV-76951r1_rule CF11-04-000138 CCI-000186 MEDIUM Only authenticated system administrators or the designated PKI Sponsor for ColdFusion must have access to ColdFusions private key. The cornerstone of PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private
    SV-76953r1_rule CF11-05-000161 CCI-001082 MEDIUM The ColdFusion Administrator Console must be hosted on a management network. ColdFusion consists of the Administrator Console and hosted applications. By separating the Administrator Console from hosted applications, the user must authenticate as a privileged user to the Administrator Console before being presented with managemen
    SV-76955r1_rule CF11-05-000162 CCI-001082 MEDIUM The ColdFusion Administrator Console must be hosted in a management sandbox. ColdFusion consists of the Administrator Console and hosted applications. By separating the Administrator Console from hosted applications, the user must authenticate as a privileged user to the Administrator Console before being presented with managemen
    SV-76957r1_rule CF11-05-000163 CCI-001082 MEDIUM ColdFusion must disable creation of unnamed applications. ColdFusion allows applications to be named or unnamed. The application name allows the developer to scope the application or define a logical application and allows for the separation of applications. When an application is unnamed, the application scop
    SV-76959r1_rule CF11-05-000164 CCI-001082 MEDIUM ColdFusion must not allow application variables to be added to Servlet Context. ColdFusion allows applications to add application variables to the Servlet Context. This allows an application to add data or change configuration data for all hosted applications. By sharing data across applications, the applications are no longer isol
    SV-76961r1_rule CF11-05-000167 CCI-001664 MEDIUM ColdFusion must enable UUID for session identifier generation. Unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of session identifiers. Unique session IDs address man-in-the-middle attacks, i
    SV-76963r1_rule CF11-05-000168 CCI-001664 MEDIUM ColdFusion must use J2EE session variables. Unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of session identifiers. Unique session IDs address man-in-the-middle attacks, i
    SV-76965r1_rule CF11-05-000169 CCI-001664 MEDIUM ColdFusion must set session cookies as browser session cookies. Generating a unique session identifier for each session inhibits an attacker from using an already authenticated session identifier that has not been invalidated. If an attacker is able to use an authenticated session, the attacker is given the privilege
    SV-76967r1_rule CF11-05-000173 CCI-001190 MEDIUM ColdFusion must provide a clustering capability. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When application failure is encountered, preserving application state fac
    SV-76969r1_rule CF11-05-000178 CCI-002470 MEDIUM ColdFusion must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate
    SV-76971r1_rule CF11-05-000181 CCI-002385 MEDIUM ColdFusion, when part of a mission critical system, must be in a high-availability (HA) cluster. A mission critical system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A mission critical system must maintain the highest level of integrity and availability. By Hig
    SV-76973r1_rule CF11-05-000182 CCI-002385 MEDIUM ColdFusion must not store user information in the server registry. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server
    SV-76975r1_rule CF11-05-000183 CCI-002385 MEDIUM ColdFusion must limit the maximum number of Flash Remoting requests. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server
    SV-76977r1_rule CF11-05-000184 CCI-002385 HIGH ColdFusion must limit the SQL commands available. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server
    SV-76979r1_rule CF11-05-000185 CCI-002385 MEDIUM ColdFusion must set a query timeout for Data Sources. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server
    SV-76981r1_rule CF11-05-000186 CCI-002385 MEDIUM ColdFusion must limit the maximum number of Web Service requests. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server
    SV-76983r1_rule CF11-05-000187 CCI-002385 MEDIUM ColdFusion must limit the maximum number of CFC function requests. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server
    SV-76985r1_rule CF11-05-000188 CCI-002385 MEDIUM ColdFusion must limit the maximum number of simultaneous Report threads. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server
    SV-76987r1_rule CF11-05-000189 CCI-002385 MEDIUM ColdFusion must limit the maximum number of threads available for CFTHREAD. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server
    SV-76989r1_rule CF11-05-000190 CCI-002385 MEDIUM ColdFusion must set a timeout for requests. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server
    SV-76991r1_rule CF11-05-000191 CCI-002385 MEDIUM ColdFusion must set a timeout for logins. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server
    SV-76993r1_rule CF11-05-000192 CCI-002385 MEDIUM ColdFusion must limit the time-out for requests waiting in the queue. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server
    SV-76995r1_rule CF11-05-000193 CCI-002385 LOW ColdFusion must have a custom request queue time-out page. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server
    SV-76997r1_rule CF11-05-000194 CCI-002385 MEDIUM ColdFusion must limit the maximum number of POST requests parameters. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server
    SV-76999r1_rule CF11-05-000195 CCI-002418 MEDIUM ColdFusion must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version. Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Tr
    SV-77001r1_rule CF11-05-000196 CCI-002418 MEDIUM ColdFusion must encrypt cookies. Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Tr
    SV-77003r1_rule CF11-05-000197 CCI-002421 MEDIUM ColdFusion must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission. Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through
    SV-77005r1_rule CF11-05-000198 CCI-002421 MEDIUM ColdFusion must encrypt patch retrieval. Checking for patches and downloading those patches for installation must be done through an encrypted connection to protect the patch from modification during transmission and to avoid spoofed updates.
    SV-77007r1_rule CF11-05-000199 CCI-002420 MEDIUM ColdFusion must protect Session Cookies from being read by scripts. A cookie can be read by client-side scripts easily if cookie properties are not set properly during preparation for transmission. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and
    SV-77009r1_rule CF11-05-000200 CCI-002420 HIGH ColdFusion must prevent JavaScript Object Notation (JSON) hijacking of data. Information can be either unintentionally or maliciously disclosed if not protected during preparation for transmission. An easy way to protect data during preparation for transmission is to use non-default identifiers for data. An example is for JavaSc
    SV-77011r1_rule CF11-05-000203 CCI-002450 MEDIUM ColdFusion must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates. Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates
    SV-77013r1_rule CF11-06-000216 CCI-001312 MEDIUM The ColdFusion missing template handler must be valid. The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data an
    SV-77015r1_rule CF11-06-000217 CCI-001312 MEDIUM The ColdFusion site-wide error handler must be valid. The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data an
    SV-77017r1_rule CF11-06-000218 CCI-001312 HIGH ColdFusion must have Robust Exception Information disabled. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered
    SV-77019r1_rule CF11-06-000219 CCI-001312 HIGH ColdFusion must have AJAX Debug Log Window disabled. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered
    SV-77021r1_rule CF11-06-000220 CCI-001312 HIGH ColdFusion must have Request Debugging Output disabled. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered
    SV-77023r1_rule CF11-06-000221 CCI-001312 HIGH ColdFusion must have Allow Line Debugging disabled. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered
    SV-77025r1_rule CF11-06-000222 CCI-001314 MEDIUM The ColdFusion error messages must be restricted to only authorized users. If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team.
    SV-77027r1_rule CF11-06-000223 CCI-002754 MEDIUM ColdFusion must have ColdFusion component (CFC) type checking enabled. Invalid user input occurs when a user inserts data or characters into an application's data entry field and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or in
    SV-77029r1_rule CF11-06-000224 CCI-002754 MEDIUM ColdFusion must enable Global Script Protection. Invalid user input occurs when a user inserts data or characters into an application's data entry field and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or in
    SV-77031r1_rule CF11-06-000225 CCI-002617 MEDIUM ColdFusion must remove software components after updated versions have been installed. Installation of patches and updates is performed when there are errors or security vulnerabilities in the current release of the software. When previous versions of software components are not removed from the application server after updates have been i
    SV-77033r1_rule CF11-06-000226 CCI-002605 LOW ColdFusion must be set to automatically check for updates. Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. To configure the software to discover that a new patch is available is impo
    SV-77035r1_rule CF11-06-000227 CCI-002605 LOW ColdFusion must have notifications enabled when a server update is available. Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. To configure the software to discover that a new patch is available is impo