| V-279055 | high | ColdFusion must be using an enterprise solution for authentication. | If ColdFusion is not integrated with an enterprise authentication solution, the system may rely on unmanaged local accounts that are difficult to monitor, audit, and control. This can lead to inconsistent password policies, outdated or orphaned credentials, and a lack of centralized visibility over user access.
This STIG standard requires using LDAP as the enterprise authentication mechanism. LDAP integration ensures that authentication is managed through a centralized directory, allowing for strong password enforcement, account lifecycle management, role-based access control, and consolidated audit logging. Without LDAP integration, users may circumvent enterprise identity governance policies, increasing the risk of unauthorized access and administrative oversight gaps.
Enterprise authentication also supports incident response and forensic analysis by enabling consistent tracking of user activities across systems. Relying on ColdFusion's internal authentication alone limits these capabilities and weakens the overall security posture.
Integrating ColdFusion with an LDAP-based enterprise authentication service ensures alignment with DOD security standards, improves identity management, and reduces the risk of account compromise or privilege escalation.
Satisfies: SRG-APP-000149-AS-000102, SRG-APP-000118-AS-000078, SRG-APP-000120-AS-000080, SRG-APP-000133-AS-000092, SRG-APP-000148-AS-000101, SRG-APP-000391-AS-000239, SRG-APP-000392-AS-000240, SRG-APP-000402-AS-000247, SRG-APP-000403-AS-000248, SRG-APP-000404-AS-000249, SRG-APP-000405-AS-000250, SRG-APP-000495-AS-000220, SRG-APP-000499-AS-000224, SRG-APP-000506-AS-000231, SRG-APP-000163-AS-000111, SRG-APP-000705-AS-000110 |
| V-279068 | high | ColdFusion must generate a unique session identifier using a FIPS 140-2/140-3 or higher approved random number generator. | ColdFusion uses session IDs to communicate between modules or applications within ColdFusion and between ColdFusion and users. The session ID allows the application to track the communications along with credentials that may have been used to authenticate users or modules.
Unique session IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of said identifiers.
Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. |
| V-279075 | high | ColdFusion must control remote access to Exposed Services. | ColdFusion exposes many existing services as web services. These services, such as cfpdf, cfmail, and cfpop, can be accessed by users and applications written in other languages and technologies than ColdFusion CFML. To invoke the services, the client must be on the allowed IP list and have a user account with the proper privileges to the exposed services. Exposing these services expands the security risk and potential for compromise of the ColdFusion application server. If a need arises for these services, the list of allowed IP addresses must be specified and limited to only those requiring access.
Satisfies: SRG-APP-000315-AS-000094, SRG-APP-000516-AS-000237 |
| V-279092 | high | JVM Arguments must be configured for Transport Layer Security (TLS) 1.2 or higher. | Preventing the disclosure of transmitted information requires that ColdFusion take measures to employ some form of cryptographic mechanism to protect the information during transmission. This is usually achieved TLS.
TLS must be enabled, and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.
ColdFusion uses JVM to control the encryption of transmitted data. Settings for JVM can be controlled within the Administrator Console to configure the JVM to only use FIPS 140-2/140-3 or higher approved TLS and disable non-FIPS SSL versions. |
| V-279093 | high | ColdFusion must configure Lightweight Directory Access Protocol (LDAP) for Transport Layer Security (TLS). | LDAP is commonly used for accessing and maintaining distributed directory information services. When LDAP authentication is performed without encryption, sensitive information such as usernames and passwords can be transmitted in clear text, making it vulnerable to interception and unauthorized access. By using TLS to secure LDAP authentication, the data transmitted between the client and the LDAP server is encrypted, ensuring the confidentiality and integrity of the authentication process. This practice helps protect against eavesdropping, man-in-the-middle attacks, and other security threats, thereby enhancing the overall security of the ColdFusion server and the applications it hosts. Regularly verifying and enforcing using TLS for LDAP authentication is essential for maintaining a secure server environment. |
| V-279094 | high | ColdFusion must remove all export ciphers to protect the confidentiality and integrity of transmitted information. | Export ciphers have weak encryption algorithms that were originally designed to comply with outdated export regulations. These ciphers provide minimal security and can be easily broken by attackers, leading to potential data breaches and unauthorized access. By removing all export ciphers from the supported cipher suites, the ColdFusion server ensures that only strong, secure encryption algorithms are used for data transmission. This practice helps protect sensitive information from being intercepted and compromised, thereby enhancing the overall security of the server and the applications it hosts. Regularly reviewing and updating the cipher suites to exclude weak ciphers is essential for maintaining a secure server environment.
Satisfies: SRG-APP-000439-AS-000274, SRG-APP-000014-AS-000009, SRG-APP-000179-AS-000129, SRG-APP-000439-AS-000155 |
| V-279095 | high | JVM arguments must be configured to use approved cryptographic mechanisms to protect data in transit. | ColdFusion uses the underlying JVM to handle transmission and receiving data, but ColdFusion does offer the programmer an encrypt API call to protect the data. This call can use multiple crypto methods but using FIPS 140-2/140-3 or higher is superior to those non-FIPS crypto methods to protect and detect changes to the data. Through JVM arguments set within ColdFusion, the programmer can be forced to use only FIPS crypto methods. |
| V-279031 | medium | The ColdFusion built-in Tomcat Web Server must use FIPS-validated ciphers on secured connectors. | Using only FIPS 140-2/140-3 or higher approved cryptographic modules for encryption helps ensure the confidentiality and integrity of transmitted data. Allowing using non-FIPS-approved or outdated encryption modules increases the attack surface and exposes the system to known vulnerabilities. Attacks such as POODLE and its variants exploit weaknesses in noncompliant cryptographic protocols by forcing HTTPS communications to downgrade to insecure cipher suites. This allows an attacker to decrypt sensitive data through man-in-the-middle techniques.
Enforcing FIPS 140-2/140-3 and higher validated modules mitigates this risk by preventing fallback to weak encryption algorithms. |
| V-279032 | medium | ColdFusion must require enforced authentication. | ColdFusion must require each authorized user to authenticate and not allow multiple users. Without enforced authentication, there is no reliable method to verify the identity of users accessing the ColdFusion Administrator Console or other secured components of the application server. This lack of accountability can allow unauthorized users to gain elevated privileges, make unauthorized changes, or conceal malicious activity. Requiring a username and password for each user aligns with the principles of least privilege and ensures that access to sensitive configuration and management functions is appropriately controlled. |
| V-279036 | medium | The ColdFusion log information must be protected from any type of unauthorized read access by having file ownership set properly. | ColdFusion log files may contain sensitive information, including system events, error messages, user activity, and potentially authentication or configuration data. If these log files are not properly protected through restrictive file ownership and permissions, unauthorized users could read, alter, or delete the log data, resulting in a loss of audit integrity, undetected malicious activity, or exposure of sensitive operational details.
Setting appropriate file ownership ensures that only authorized ColdFusion administrators or designated service accounts have access to the logs, reducing the risk of compromise. This control supports the confidentiality, integrity, and availability of log data.
Satisfies: SRG-APP-000118-AS-000078, SRG-APP-000119-AS-000079, SRG-APP-000120-AS-000080, SRG-APP-000267-AS-000170 |
| V-279038 | medium | Before installing or upgrading ColdFusion, the integrity of the installation package must be manually verified. | The hash verification process must be performed using an approved hashing algorithm to ensure the package has not been altered, tampered with, or corrupted during transfer. If the computed hash does not exactly match the official vendor hash, the installation or upgrade must not proceed, and the discrepancy must be investigated and resolved prior to deployment.
Failure to verify the cryptographic hash of ColdFusion installation or upgrade packages exposes the system to potential compromise. A malicious actor could modify the package to include backdoors, vulnerabilities, or unauthorized code. If the altered package is installed, it may provide an attacker with privileged access to the system, compromise sensitive data, or disrupt operations. Manually verifying the vendor-provided hash ensures the authenticity and integrity of the package before installation, protecting against supply chain attacks and unauthorized modifications. |
| V-279039 | medium | Critical ColdFusion directories must have secure file system permissions and ownership. | Controlling the overall security posture of the server encompasses controlling the patches and versions of the software running within the production environment. Patches are installed to fix security and bug issues. Vendors will often supply a feature to uninstall the patch in the event the patch does not install correctly, if the patch causes issues with hosted applications, or if the patch contains issues not found during testing. The uninstall feature is meant to be used by a system administrator (SA) to maintain a secure and stable system. In the event an attacker gains access to the uninstall functionality, they can then attempt to revert the system to an unsecure version which may have known and documented attacks that can be successful to compromise ColdFusion.
To protect against this type of attack and to further define roles for users, access to the patch management functionality is important. Proper protection is performed through assigning the appropriate roles to the users of the Administrator Console and through the least privileged permissions assigned at the OS level. |
| V-279040 | medium | ColdFusion must configure WebSocket Service. | Application servers provide a wide range of features and services, many of which may not be necessary or secure for a production DOD environment. One such feature is the ColdFusion WebSocket Service, which supports real-time, bidirectional communication for applications such as dashboards, online gaming, social networking, and live data feeds. This service communicates over HTTP or HTTPS using a proxy or the built-in WebSocket server.
When enabled, the WebSocket Service consumes system resources and may introduce security risks if not properly configured or if left unused. These risks include unauthorized access, input injection, session hijacking, and the ability to bypass traditional security controls such as firewalls and proxies. If the WebSocket service is not actively required by hosted applications, it should be disabled to free up system resources and reduce the overall attack surface.
When used, the WebSocket service must be securely configured.
Satisfies: SRG-APP-000141-AS-000095, SRG-APP-000172-AS-000120, SRG-APP-000435-AS-000163, SRG-APP-000442-AS-000259 |
| V-279041 | medium | ColdFusion must have Event Gateway Services disabled when not in use. | Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DOD system. Event Gateway Services are used to pass events from external sources to ColdFusion components that are specified. Since this gateway is accepting events from external sources, a listener must be present. When enabled, along with the listener, memory, queues, and processes are available for gateway processes. These resources can be used by an attacker and should be disabled if the feature is not being used for hosted applications. |
| V-279042 | medium | ColdFusion must have Remote Development Services (RDS) disabled. | Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DOD system. RDS is used in a development environment to allow authenticated users access to the server using special features within code editors like Dreamweaver, HomeSite+, ColdFusion Studio, Eclipse, and VSCode to obtain information from the server. For example, developers can determine what data sources exist, query them, build code based on them, and more. RDS also enables access from within the editors to files on the server (even remotely) over HTTP, as an alternative to FTP. This feature is not meant for production environments. |
| V-279044 | medium | ColdFusion must disable all remote and client-side debugging features, including Remote Inspection, Robust Exception Information, AJAX Debug Log Window, and Line Debugging. | Debugging and inspection features in application servers, such as ColdFusion's Remote Inspection, Robust Exception Information, AJAX Debug Log Window, and Line Debugging, are valuable tools during development but pose significant security risks if left enabled in production environments. These features can expose detailed error messages, internal server logic, application structure, variable contents, and system information that could be leveraged by attackers to gain unauthorized access, identify exploitable vulnerabilities, or conduct reconnaissance.
Allowing remote inspection or detailed debugging output in a production environment undermines the principle of least privilege and increases the risk of unauthorized disclosure of sensitive information. This violates secure coding and deployment best practices. Disabling these features mitigates the risk of information leakage.
Satisfies: SRG-APP-000141-AS-000095, SRG-APP-000266-AS-000169 |
| V-279045 | medium | ColdFusion must have any unused mappings removed. | ColdFusion mappings define virtual paths to physical directories that can be accessed by ColdFusion applications. If unused or unnecessary mappings are left configured, they can present an unmonitored and potentially exploitable entry point for attackers. These mappings may inadvertently expose internal files, application code, or sensitive resources that are not intended for public or application-level access. Attackers can leverage such mappings to bypass access controls, perform directory traversal attacks, or gain insight into the server's file structure.
Removing unused mappings reduces the attack surface and eliminates access to unnecessary or insecure directories, supporting the principle of least functionality. |
| V-279050 | medium | ColdFusion must be configured with secure and approved server settings to enforce application hardening, input validation, error handling, and protection against common web vulnerabilities. | ColdFusion Server Settings must be securely configured to enforce application hardening, prevent misuse of functionality, and protect against common web application vulnerabilities. These settings control critical behaviors, including request timeouts, file inclusion, POST limits, script protection, error handling, and access to internal Java components. If these settings are not properly configured according to documented security guidelines and performance parameters, ColdFusion may be exposed to a variety of threats.
Improper request throttling or POST limits can lead to denial-of-service conditions, while excessive output buffer sizes and unfiltered file uploads can result in resource exhaustion or exploitation of the file system. Enabling features such as debug output, remote inspection, or detailed exception information may disclose internal logic, configuration details, or sensitive data to unauthorized users. Allowing overly permissive file inclusion or attribute handling introduces the risk of injection attacks or unintended code execution.
Using default, insecure, or unnecessary feature violates secure configuration principles and increases the application's attack surface.
Ensuring ColdFusion is configured with approved and secure server settings helps maintain proper access control, input validation, error handling, and system resilience, ultimately reducing the risk of compromise or misuse.
Satisfies: SRG-APP-000141-AS-000095, SRG-APP-000211-AS-000146, SRG-APP-000223-AS-000150, SRG-APP-000266-AS-000168, SRG-APP-000380-AS-000088, SRG-APP-000435-AS-000163, SRG-APP-000441-AS-000258, SRG-APP-000447-AS-000273, SRG-APP-000516-AS-000237 |
| V-279053 | medium | ColdFusion must disable the In-Memory File System. | Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DOD system. ColdFusion offers an in-memory file system. This feature can be used to have dynamic code execute quickly which in turns enables an application to execute quicker. This feature can also be used by an attacker to execute dynamic code that is erased and unrecoverable on system reboot making forensic analysis impossible. |
| V-279054 | medium | ColdFusion must restrict unauthorized remote access to the ColdFusion Administrator Console and ensure all ports used are approved and properly secured. | Some networking protocols may not meet organizational security requirements to protect data and components.
ColdFusion may host a number of various features, such as the Administrator Console, data sources, and various services. These features all run on TCPIP ports and protocols. This creates the potential for the vendor or ColdFusion administrator to use port numbers or protocols that have been deemed unusable by the organization. When ports or protocols are used that are not secure or authorized by the organization, the ColdFusion feature must be reconfigured to use an authorized port and protocol.
For a list of approved ports and protocols, reference the DOD ports and protocols web site at https://powhatan.iiie.disa.mil/ports/cal.html. |
| V-279056 | medium | Web services using Simple Object Access Protocol (SOAP) to access sensitive data must be secured with WS-Security. | Application servers may provide a web service capability that could be leveraged to allow remote access to sensitive application data.
Many web services use SOAP, which in turn uses XML and HTTP as a transport. Natively, SOAP does not provide security protections. Therefore, ColdFusion must provide security extensions to enhance SOAP capabilities to ensure that secure authentication mechanisms are employed to protect sensitive data. The ws-security suite is a widely used and acceptable SOAP security extension.
ColdFusion offers SOAP capabilities but does not offer any type of security for these services. To extend the security of the SOAP protocol, an administrator must install the ws-security suite to enhance SOAP through Java Web Services and configure the ws-security features within the new object. This new object then becomes the wrapper for the SOAP communication, securing the sensitive data. |
| V-279057 | medium | ColdFusion must store only encrypted representations of passwords. | Applications must enforce password encryption when storing passwords. Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised.
Application servers provide either a local user store or they integrate with enterprise user stores like LDAP. When ColdFusion is responsible for creating or storing passwords, ColdFusion must enforce the storage of encrypted representations of passwords. |
| V-279058 | medium | ColdFusion must transmit only encrypted representations of passwords to NoSQL data sources. | When data is transmitted between ColdFusion and the datasources without encryption, it is vulnerable to interception and unauthorized access. This can lead to the exposure of sensitive information, including personal data, authentication credentials, and other confidential information. By requiring each of the data sources to use encryption for data transmission, ColdFusion ensures that the credentials and data are protected from eavesdropping and tampering. This practice helps maintain the confidentiality and integrity of the data, thereby enhancing the overall security of the server and the applications it hosts. Regularly verifying and enforcing using encryption for all datasource connections is essential for maintaining a secure server environment. |
| V-279059 | medium | ColdFusion must only transmit encrypted representations of passwords to the Solr Server. | Solr is an open-source search platform used for indexing and searching data. When data is transmitted between ColdFusion and the Solr Server without encryption, it is vulnerable to interception and unauthorized access. This can lead to the exposure of sensitive information, including search queries, indexing data, and other confidential information. By requiring the Solr Server connection to use encryption for data transmission, the ColdFusion server ensures that the data is protected from eavesdropping and tampering. This practice helps maintain the confidentiality and integrity of the data, thereby enhancing the overall security of the server and the applications it hosts. Regularly verifying and enforcing using encryption for all Solr Server connections is essential for maintaining a secure server environment. |
| V-279060 | medium | ColdFusion must transmit only encrypted representations of passwords to the mail server. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
ColdFusion may use username/password to connect to a mail server. When this authentication method is used, it is important that the credentials be protected when transmitted by being encrypted. While TLS encryption is the preferred method by DOD, SSL can be used when the mail server does not offer any other method of encryption.
Satisfies: SRG-APP-000172-AS-000120, SRG-APP-000435-AS-000163, SRG-APP-000516-AS-000237 |
| V-279061 | medium | ColdFusion must only transmit encrypted representations of passwords to the caching server. | Redis is an in-memory data structure store used as a database, cache, and message broker. When data is transmitted between ColdFusion and the Redis caching server without encryption, it is vulnerable to interception and unauthorized access. This can lead to the exposure of sensitive information, including cached data, session information, and other confidential data. By requiring the Redis caching server connection to use encryption for data transmission, ColdFusion ensures that the credentials and data are protected from eavesdropping and tampering. This practice helps maintain the confidentiality and integrity of the data, thereby enhancing the overall security of the server and the applications it hosts. Regularly verifying and enforcing with encryption for all Redis caching server connections is essential for maintaining a secure server environment. |
| V-279062 | medium | JVM Arguments must be configured for encryption. | Ensuring that ColdFusion transmits only encrypted representations of passwords to the proxy server is critical for maintaining the security and integrity of sensitive information. When passwords are transmitted in plain text, they are vulnerable to interception by unauthorized parties, which can lead to unauthorized access and potential data breaches. Encrypting passwords during transmission helps protect against these risks by ensuring that even if the data is intercepted, it cannot be easily deciphered and misused.
By implementing encryption for password transmission to the proxy server, ColdFusion can safeguard user credentials and maintain the confidentiality and integrity of the data being transmitted. This practice aligns with best security practices and helps prevent unauthorized access to sensitive information. |
| V-279063 | medium | ColdFusion must be configured to use only DOD-approved keystores and truststores containing certificates issued by a DOD Public Key Infrastructure (PKI) Certificate Authority (CA), and all keystore and truststore files must be protected by file system permissions that prevent unauthorized access or modification. | Keystores and truststores are critical components in securing communication between applications and services. If ColdFusion is configured to use certificates that are not issued by a DOD-approved Certificate Authority (CA), the authenticity and trustworthiness of encrypted communications cannot be guaranteed. Accepting certificates from untrusted or self-signed sources introduces the risk of man-in-the-middle (MitM) attacks, unauthorized access, and spoofing.
Keystore and truststore files contain sensitive cryptographic material, including private keys and trusted root certificates. If these files are not adequately protected at the file system level, unauthorized users may gain access and exploit them to impersonate services, decrypt communications, or alter trust relationships. Insecure permissions may also allow modification of trusted CAs, weakening the system's ability to verify legitimate certificates.
Restricting keystore usage to DOD-approved certificates and enforcing strict file-level access controls helps ensure data confidentiality, integrity, and authenticity. It also aligns with DOD PKI requirements and mitigates the risk of compromise through unauthorized certificate usage or tampering with trust anchors.
Satisfies: SRG-APP-000176-AS-000125, SRG-APP-000175-AS-000124, SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137 |
| V-279064 | medium | The ColdFusion Administrator Console must be hosted on a management network. | ColdFusion is composed of two primary components: the Administrator Console and the hosted applications. Separating the Administrator Console from the hosted application environment enforces a strong security boundary, requiring users to authenticate with privileged credentials before gaining access to management functionality. This separation ensures that nonprivileged users—such as application users—are not presented with administrative interfaces or options, effectively reducing the attack surface and minimizing the potential for privilege escalation.
Restricting visibility into administrative functions also limits the exposure of sensitive configuration details. In the event a nonprivileged account is compromised, the attacker gains no insight into ColdFusion's management features or internal architecture, impeding reconnaissance efforts and slowing down the progression of an attack.
Hosting the Administrator Console on a dedicated management network ensures the console is accessible only from authorized administrative devices, isolates it from the application traffic and users, and reduces the risk of accidental exposure. Management networks also enforce encryption and strict access controls, providing additional protection against data leakage and unauthorized access to ColdFusion's administrative interface. |
| V-279065 | medium | ColdFusion must have sandboxes enabled and defined. | ColdFusion consists of two distinct components: the Administrator Console and the hosted applications. Separating these components is essential for enforcing strict access control and limiting exposure of administrative functionality. By requiring privileged authentication to access the Administrator Console, ColdFusion ensures that nonprivileged users cannot view or interact with system-level management features. This prevents unauthorized users from gaining insight into administrative capabilities or system configurations, reducing the risk of privilege escalation or targeted attacks.
Isolating the Administrator Console within its own sandboxed environment further strengthens security by preventing hosted applications from accessing, reusing, or modifying administrative objects or code. This containment ensures that management operations and configuration data are protected from unintended or malicious interaction by hosted application processes. In the event a hosted application is compromised, this isolation prevents the attacker from pivoting into the administrative layer of the application server.
This architecture enforces proper input validation and access control between application tiers and components, helping prevent unauthorized access to privileged functions, configuration data, or sensitive objects. It supports a layered defense model by limiting trust boundaries and reducing the likelihood of administrative compromise due to application-level vulnerabilities.
Satisfies: SRG-APP-000211-AS-000146, SRG-APP-000516-AS-000237 |
| V-279066 | medium | ColdFusion must separate the hosted application from the web server. | Separating hosted ColdFusion applications from the web server is critical for enforcing strong access control and minimizing the risk of unauthorized access to sensitive server components. When hosted applications and the web server operate within the same execution context or process space, vulnerabilities in one can directly compromise the other.
Separating the hosted application logic from the core web server components limits the application's access to only the resources it requires. This containment ensures that application-level vulnerabilities cannot be easily escalated to affect the broader server environment. It also allows for more granular security controls, input validation, and auditing.
This separation supports defense-in-depth by establishing clear trust boundaries between application and server functions. It enforces the principle of least privilege, protects critical infrastructure from exploitation. |
| V-279067 | medium | ColdFusion must be configured to mutually authenticate connecting proxies and load balancers. | Mutual authentication between connecting proxies, application servers, or gateways is essential for ensuring secure communication and preventing unauthorized access. Without mutual authentication, there is a risk that an attacker could impersonate a trusted component, leading to potential data breaches and other security incidents. Mutual authentication helps verify the identities of both parties involved in the communication, ensuring that only trusted entities can interact with ColdFusion. This process involves the exchange of certificates and the validation of these certificates against a trusted certificate authority. By implementing mutual authentication, ColdFusion can establish a secure and trusted communication channel, protect sensitive data and maintain the integrity of the system. Therefore, it is crucial to configure ColdFusion to mutually authenticate all connecting proxies, application servers, or gateways to enhance security and prevent unauthorized access. |
| V-279069 | medium | ColdFusion systems must provide clustering. | Clustering enables ColdFusion to distribute workloads across multiple application server instances, providing load balancing, session replication, and failover capabilities. Without clustering, ColdFusion operates as a single point of failure.
Clustering ensures service continuity by allowing traffic to be rerouted to healthy nodes in the event of a failure. It also enhances performance by distributing resource-intensive operations across multiple servers, reducing response times and increasing application scalability. This capability supports the organization's high availability and disaster recovery objectives by reducing the risk of downtime or service degradation.
Clustering supports secure session management by enabling session failover and persistence. This helps maintain user experience and security during node transitions, ensuring continuity of authenticated sessions without requiring users to reauthenticate.
ColdFusion must be capable of supporting clustering to meet enterprise availability requirements, enable horizontal scaling, and ensure that critical applications remain resilient under varying load and failure conditions.
Satisfies: SRG-APP-000225-AS-000154, SRG-APP-000435-AS-000069 |
| V-279070 | medium | ColdFusion must be configured to support integration with a third-party Security Information and Event Management (SIEM) to support notifications. | ColdFusion must be capable of integrating with a third-party SIEM solution to provide centralized log collection, event correlation, and real-time alerting. Without integration into a SIEM, audit records generated by ColdFusion may remain isolated on the local system, limiting visibility and hindering the ability of security personnel to detect, investigate, and respond to suspicious activity or system misconfigurations.
Timely notifications of security-relevant events are critical for incident response and continuous monitoring. If ColdFusion is not configured to transmit these logs or events to an external monitoring platform, malicious activity may go undetected until after significant damage has occurred.
SIEM integration also supports compliance with audit and accountability requirements by ensuring audit data is retained in a secure, tamper-evident location outside the local ColdFusion instance. In the event of system compromise, this external logging provides a reliable forensic trail and helps validate system integrity.
Satisfies: SRG-APP-000231-AS-000156, SRG-APP-000108-AS-000067, SRG-APP-000125-AS-000084, SRG-APP-000126-AS-000085, SRG-APP-000181-AS-000255, SRG-APP-000290-AS-000174, SRG-APP-000358-AS-000064, SRG-APP-000360-AS-000066, SRG-APP-000515-AS-000203, SRG-APP-000795-AS-000130 |
| V-279071 | medium | ColdFusion must have the Tomcat DefaultServlet debug parameter disabled. | Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages must be carefully considered by the organization and development team.
The release of Tomcat that comes with ColdFusion can be configured to output Tomcat-specific debug messages. If left enabled, these settings can expose sensitive data within error and log messages. |
| V-279072 | medium | The ColdFusion error messages must be restricted to only authorized users. | If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Application servers must protect the error messages that are created by ColdFusion. All application server users' accounts are used for the management of the server and the applications residing on ColdFusion. All accounts are assigned to a certain role with corresponding access rights. ColdFusion must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. ColdFusion will usually create new log files as needed and must take steps to ensure that the proper file permissions are used when the log files are created.
Satisfies: SRG-APP-000267-AS-000170, SRG-APP-000033-AS-000024, SRG-APP-000090-AS-000051, SRG-APP-000315-AS-000094, SRG-APP-000516-AS-000237 |
| V-279073 | medium | ColdFusion must set a maximum session timeout value. | An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process.
To thwart the vulnerability of open and unused user sessions, ColdFusion must be configured to close the sessions when a configured condition or trigger event is met. Such an event is user inactivity. ColdFusion offers an inactivity parameter that allows the setting systemwide for session timeout. ColdFusion also allows a developer to override the default timeout setting and set a new timeout. A maximum setting is provided to control how large a developer can set the timeout. |
| V-279074 | medium | ColdFusion must control remote access to the Administrator Console. | Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by logging connection activities of remote users.
By default, localhost and all IP addresses can access the Administrator Console. Depending on the authentication method (i.e., single password, separate username and password per user, or no authentication needed), any user from any network can access the console and make changes to the server configuration relying only on the authentication method configured for the installation. By limiting the IP addresses that can connect, the administration console can be hosted to a management network and only accessed via that network, further reducing the exposure of the Administrator Console. |
| V-279077 | medium | ColdFusion must record time stamps for log records that can be mapped system time. | Using a consistent time standard such as UTC or GMT for the internal clock of ColdFusion is crucial for maintaining accurate and reliable system logs. This consistency is essential for correlating events across different systems and networks, especially in environments where systems are geographically dispersed. If the internal clock is not set to a standard time, it can lead to discrepancies in log files, making it difficult to trace and investigate security incidents. Additionally, using a nonstandard time setting can complicate the synchronization of time-sensitive operations and affect the overall security posture of ColdFusion. Therefore, setting the internal clock to UTC or GMT helps ensure the integrity and reliability of system logs and enhances the ability to detect and respond to security events effectively. |
| V-279078 | medium | For PKI-based authentication, ColdFusion must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. | Ensuring that for PKI-based authentication, ColdFusion implements a local cache of revocation data is essential for maintaining the security and integrity of the authentication process. PKI relies on the ability to verify the validity of certificates, which includes checking for certificate revocation. If the system cannot access revocation information via the network, it may be unable to determine whether a certificate is still valid, potentially allowing the use of compromised or revoked certificates.
By implementing a local cache of revocation data, ColdFusion can support path discovery and validation even when network access to revocation information is unavailable. This practice helps ensure that the system can continue to verify the validity of certificates and maintain the security of the authentication process. It aligns with best security practices and helps prevent unauthorized access to sensitive information. |
| V-279079 | medium | ColdFusion must set Request Tuning configurations. | To reduce the possibility or effect of a denial of service (DoS), ColdFusion must employ defined security safeguards. These safeguards will be determined by the placement of ColdFusion and the type of applications being hosted within ColdFusion framework.
Report threads are used to process reports concurrently. Since reporting in most applications is a process that is not time sensitive or heavily used, this setting should be minimized to minimize resource use on ColdFusion and to minimize a method that could be used to exhaust resources by an attacker. Unless reporting is heavily used, the number of simultaneous report threads must be set to 1. |
| V-279080 | medium | ColdFusion must limit the maximum number of threads available for CFTHREAD. | Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, ColdFusion must employ defined security safeguards. These safeguards will be determined by the placement of ColdFusion and the type of applications being hosted within ColdFusion framework.
The CFTHREAD service allows a programmer to create threads of code that execute independently. If this feature is being used, the maximum number of threads should be tuned. If set too high, this may lead to a context-switching situation. When this feature is not in use, the maximum number of threads must be 1. |
| V-279081 | medium | ColdFusion must limit the maximum number of Web Service requests. | Unrestricted web service request handling in ColdFusion can lead to resource exhaustion, degraded performance, or denial-of-service (DoS) conditions. Web services are common targets for automated attacks, excessive load, or abuse through scripted queries and recursive payloads. If there is no limit on the number of web service requests a ColdFusion server will process, an attacker may overwhelm system resources such as memory, CPU, or network bandwidth, leading to service disruption.
Limiting the maximum number of allowable web service requests per session, per client, or per time interval helps enforce resource control, prevent abuse, and maintain application availability. It also ensures that ColdFusion can prioritize legitimate traffic and maintain performance under heavy load.
Applying limits on web service request volume reduces the attack surface and aligns with secure coding practices by ensuring application functionality is intentionally constrained to support operational requirements without exposing the system to unnecessary risk. |
| V-279082 | medium | ColdFusion must limit the maximum number of ColdFusion Component (CFC) function requests. | CFCs enable modular development by exposing functions that can be called locally or remotely. If the number of allowable CFC function requests is not limited, the application becomes vulnerable to abuse through excessive or malicious input. Attackers can exploit this by sending high volumes of CFC requests to exhaust server resources resulting in degraded performance or denial-of-service (DoS) conditions.
Unrestricted access to CFC methods may also provide a path for attackers to probe the application for vulnerabilities, perform automated enumeration, or repeatedly invoke resource-intensive functions. This not only disrupts service availability but also increases the risk of lateral movement and further compromise within the application.
Enforcing a limit on the number of allowable CFC function requests per session, per user, or per time period helps prevent resource exhaustion and supports predictable application behavior under load. If this feature is being used, the number of simultaneous requests should be tuned using load testing to find the optimal value for the setting. When the feature is not in use, the maximum number must be set to 1. |
| V-279083 | medium | ColdFusion must configure Data Sources to limit SQL command and configure timeout. | Data sources configured within ColdFusion can be exploited if not properly restricted. Allowing unrestricted SQL commands increases the risk of unauthorized data manipulation, privilege escalation, or destructive operations. If a data source permits these types of commands without explicit need, an attacker who compromises the application could use it to alter the database schema, escalate access, or destroy critical data.
Failing to enforce query timeout values allows poorly constructed or maliciously crafted SQL statements to consume excessive resources. Long-running queries can degrade database performance or cause denial-of-service (DoS) conditions, impacting application availability for legitimate users.
Limiting SQL commands to only those required for application functionality, and enforcing strict query timeouts, ensures that ColdFusion applications operate within expected bounds, maintain system stability, and protect backend data resources. These controls help reduce the attack surface and enforce the principle of least privilege across the application's database interactions.
Satisfies: SRG-APP-000435-AS-000163, SRG-APP-000172-AS-000120 |
| V-279084 | medium | ColdFusion must not store user information in the server registry. | Client variables in ColdFusion are used to persist user-specific information between requests and sessions. If the default storage mechanism for these client variables is set to the Windows registry, it introduces a number of security and performance risks. The Windows registry is not designed for high-frequency, dynamic data storage and lacks adequate security controls for storing sensitive session data. Storing client variables in the registry increases the risk of unauthorized access or data corruption, especially in environments where multiple services or users share access to the system.
Improper configuration of the client variable purge interval can lead to excessive accumulation of stale data. If outdated session data is not purged in a timely manner it may result in degraded system performance, resource exhaustion, or inadvertent exposure of residual user data.
Ensuring that client variables are stored in a more secure and scalable location (e.g., database or in-memory store) and that the purge interval is properly configured helps protect user data, improve system performance, and reduce the attack surface of the ColdFusion application environment. |
| V-279085 | medium | ColdFusion must limit the in-memory size of the virtual file system. | Limiting the in-memory size of the virtual file system is essential to prevent resource exhaustion and potential denial-of-service (DoS) attacks. Without a limit, the virtual file system can consume excessive memory, leading to performance degradation or server crashes. By setting a maximum in-memory limit, the server can manage its resources more effectively, ensuring that it remains responsive and available to handle client requests efficiently. |
| V-279086 | medium | ColdFusion must limit the default maximum thread count for parallel functions. | Setting a default maximum thread count for parallel functions is essential to prevent resource exhaustion and potential denial-of-service (DoS) attacks. Without a limit, parallel functions can spawn an excessive number of threads, consuming server resources and potentially leading to performance degradation or crashes. By configuring a maximum thread count, the server can manage its resources more effectively, ensuring that it remains responsive and available to handle client requests efficiently. |
| V-279087 | medium | ColdFusion must limit the maximum post data size. | Limiting the maximum post data size is essential to prevent resource exhaustion and potential denial-of-service (DoS) attacks. Without a limit, excessively large post data can consume server resources, leading to performance degradation or crashes. By setting a maximum post data size, the server can manage its resources more effectively, ensuring that it remains responsive and available to handle client requests efficiently. |
| V-279088 | medium | ColdFusion must limit the request throttle memory. | Limiting the request throttle memory is essential to prevent resource exhaustion and potential denial-of-service (DoS) attacks. Without a limit, an excessive number of large requests can overwhelm the server, consuming memory and other resources, leading to performance degradation or crashes. Any requests made above the throttle threshold are considered throttled and cumulatively their total request size cannot be above the throttle memory setting. Any throttled requests made while insufficient throttle memory remaining will be queued. Any requests larger than the throttle memory will be rejected. By setting a request throttle memory limit, the server can manage its resources more effectively, ensuring that it remains responsive and available to handle client requests efficiently. |
| V-279089 | medium | ColdFusion must set an organization defined maximum number of cached templates. | Setting an appropriate maximum number of cached templates is crucial to balance server performance and resource usage. If the limit is set too low, it can lead to frequent cache misses, causing the server to regenerate templates more often, which can degrade performance. Conversely, if the limit is set too high, it can consume excessive memory, leading to resource exhaustion and potential denial-of-service (DoS) attacks. By configuring a balanced limit, the server can efficiently manage cached templates, ensuring optimal performance and availability.
Satisfies: SRG-APP-000435-AS-000163, SRG-APP-000516-AS-000237 |
| V-279090 | medium | ColdFusion must set an organization defined maximum JVM heap size. | Setting an appropriate maximum JVM heap size is crucial to balance server performance and resource usage. If the heap size is set too low, it can lead to frequent garbage collection, which can degrade performance. Conversely, if the heap size is set too high, it can consume excessive memory, leading to resource exhaustion and potential denial-of-service (DoS) attacks. By configuring a balanced maximum JVM heap size, the server can efficiently manage memory, ensuring optimal performance and availability. |
| V-279091 | medium | ColdFusion must set a nonzero timeout for web services. | Setting a nonzero timeout for web services is crucial to prevent indefinite waiting periods that can lead to resource exhaustion and potential denial-of-service (DoS) attacks. Without a timeout, web services may hang indefinitely, consuming server resources and potentially causing ColdFusion to become unresponsive. By configuring a nonzero timeout, the server can terminate stalled web service requests, ensuring that resources are freed up and the server remains available to handle new requests efficiently. |
| V-279096 | medium | ColdFusion must encrypt patch retrieval. | Checking for patches and downloading those patches for installation must be done through an encrypted connection to protect the patch from modification during transmission and to avoid spoofed updates. |
| V-279097 | medium | ColdFusion must ensure that ColdFusion Package Manager (cfpm) packages are transmitted using encrypted protocols. | The cfpm is used to manage various packages and modules that extend the functionality of the ColdFusion server. If these packages are downloaded or transmitted over unencrypted channels, they are susceptible to interception and tampering by malicious actors. This can lead to the introduction of malicious code, unauthorized access, and other security breaches. By ensuring that cfpm packages are transmitted using encrypted protocols, such as HTTPS, the integrity and confidentiality of the packages are maintained. This practice helps protect the server from potential threats and ensures that only trusted and verified packages are installed. |
| V-279098 | medium | The ColdFusion administrator must be using HTTPS to maintain the confidentiality and integrity of information during reception. | Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.
ColdFusion must use approved encryption when receiving transmitted data by configuring the Tomcat Connector to use HTTPS. |
| V-279099 | medium | ColdFusion Backup Directory must be deleted. | Installation of patches and updates is performed when there are errors or security vulnerabilities in the current release of the software. When previous versions of software components are not removed from ColdFusion after updates have been installed, an attacker may use the older components to exploit the system.
ColdFusion creates a backup directory for an update when installed. This backup directory allows the system administrator (SA) to uninstall the update if an error occurs or incompatibility is found with the hosted applications. Once the update is tested and found to work correctly, the backup directory must be removed so that the update cannot be uninstalled. |
| V-279100 | medium | ColdFusion must be set to automatically check for updates. | Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. To configure the software to discover that a new patch is available is important since administrators may be responsible for multiple servers running different applications and services, making it difficult for the administrator to constantly check for updates. Enabling the automatic check informs the administrator, allows him to investigate the patch and what is needed to apply the patch and schedule any outages that might be needed, thereby permitting the patch to be installed quickly and efficiently. |
| V-279101 | medium | ColdFusion must have notifications enabled when a server update is available. | Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. To configure the software to discover that a new patch is available is important since administrators may be responsible for multiple servers running different applications and services, making it difficult for the administrator to constantly check for updates. Enabling the automatic check informs the administrator, allows him to investigate the patch and what is needed to apply the patch and schedule any outages that might be needed, thereby permitting the patch to be installed quickly and efficiently.
Having "Check for updates every" checked causes ColdFusion to look for updates every set number of days. Entering a list of email addresses to notify guarantees a notification is sent to the administrator. |
| V-279102 | medium | Installed versions of ColdFusion must be supported by the vendor. | Running unsupported versions of ColdFusion introduces significant risk to the security and stability of the application environment. Unsupported software no longer receives security patches, bug fixes, or vendor support, leaving known vulnerabilities unaddressed and exploitable by threat actors. These versions may contain flaws that have been publicly disclosed and weaponized, making them an easy target for attackers.
Continuing to use obsolete ColdFusion versions increases the risk of system compromise, data exposure, and unauthorized access to application resources.
Ensuring that only supported and maintained versions of ColdFusion are deployed allows the organization to receive timely updates, apply critical patches, and maintain compliance with DOD security requirements. Removing or upgrading unsupported instances helps reduce the attack surface, mitigate vulnerabilities, and ensure ColdFusion processes operate securely and reliably. |
| V-279103 | medium | ColdFusion must execute as a nonprivileged user. | Privileged user accounts are accounts that have access to all the system resources. These accounts are reserved for administrative users and applications that have a need for such unfettered access.
Because ColdFusion does not need to run with access to all the system resources, the ColdFusion services must be set up to execute as unprivileged users. This protects server resources, OS hosted applications, and organization resources should the ColdFusion application server become compromised. |
| V-279104 | medium | The ColdFusion Root Administrator account must have a unique username. | The ColdFusion Root Administrator account is an administrative account setup during the installation process. This account has privileges to view, update and delete data within the entire ColdFusion Administrator Console. The account is meant to be used to set up ColdFusion after installation but should only be used in emergency situations once user accounts are created. The account is similar to the Administrator account in Windows or the root account in Linux.
To help protect the account, the account username should not be admin or administrator. If set up with these usernames, an attacker already knows 50 percent of the information needed to gain access. A unique and not easily guessable username must be used to hinder the discovery of the account credentials. |
| V-279105 | medium | ColdFusion must protect newly created objects. | During operation, ColdFusion may create objects such as files to store parameters or log data, or pipes to share data between objects. When the objects are created, it is important that the newly created object has the correct permissions. This can be performed by assigning the proper umask value to the running process. For the ColdFusion service, the umask must be set to 007 or more restrictive. |
| V-279106 | medium | ColdFusion must be configured to set the cookie settings. | Cookies are often used to maintain user sessions in web applications. However, if cookies are not properly managed, they can pose a security risk. Persistent cookies that do not expire when the browser is closed can be exploited by attackers to gain unauthorized access to user sessions. By setting the cookie timeout to -1, ColdFusion ensures that cookies are only valid for the duration of the browser session. This means that when the user closes their browser, the session cookies are automatically deleted, reducing the risk of session hijacking and unauthorized access.
In ColdFusion, administrators can configure the cookie timeout to -1 to enforce browser-session-based cookies. This setting enhances the security of the application by ensuring that user sessions are terminated when the browser is closed, thereby preventing potential security breaches.
Satisfies: SRG-APP-000516-AS-000237, SRG-APP-000141-AS-000095, SRG-APP-000439-AS-000155, SRG-APP-000441-AS-000258 |
| V-279107 | medium | ColdFusion must be configured to enable Cross-Origin Resource Sharing (CORS) to allow mobile applications to access resources from different origins securely. | CORS is a security feature implemented by web browsers to prevent web pages from making requests to a different domain than the one that served the web page. However, mobile applications often need to access resources from different origins. Enabling CORS allows the server to specify which origins are permitted to access its resources, thereby ensuring secure communication between the mobile application and the server.
In ColdFusion, administrators can configure ColdFusion to enable CORS by specifying the allowed origins, methods, and headers. This setting enhances the security of the application by ensuring that only trusted origins can access the server's resources, thereby preventing unauthorized access and data breaches.
Satisfies: SRG-APP-000516-AS-000237, SRG-APP-000141-AS-000095 |
| V-279108 | medium | ColdFusion must be configured to set the HTTPOnly attribute on session cookies to prevent client-side scripts from accessing the cookies. | Session cookies are critical for maintaining user sessions in web applications. However, if these cookies are accessible to client-side scripts, they can be exploited by attackers through cross-site scripting (XSS) attacks. By setting the HTTPOnly attribute on session cookies, ColdFusion ensures that these cookies are not accessible to client-side scripts, thereby mitigating the risk of XSS attacks. This configuration enhances the security of the application by preventing unauthorized access to session cookies and protecting sensitive user information. |
| V-279109 | medium | ColdFusion must be configured to set the Secure attribute on session cookies to ensure that cookies are only transmitted over secure HTTPS connections. | Session cookies are often transmitted over the network, and if they are not protected, they can be intercepted by attackers. By enabling the Secure attribute on session cookies, ColdFusion ensures that these cookies are only transmitted over secure HTTPS connections. This configuration helps protect the confidentiality and integrity of session cookies during transmission, reducing the risk of session hijacking and unauthorized access. Enabling the Secure attribute is a critical security measure to ensure that session cookies are not exposed to potential attackers. |
| V-279110 | medium | ColdFusion must have the Java Runtime Environment (JRE) updated to the latest version. | The JRE is a critical component of the ColdFusion server, providing the necessary runtime environment for executing Java applications. Keeping the JRE updated to the latest version is essential for maintaining the security and stability of the server. Outdated versions of the JRE may contain vulnerabilities that can be exploited by attackers to gain unauthorized access, execute arbitrary code, or cause denial of service. Regularly updating the JRE ensures that the server is protected against known vulnerabilities and benefits from the latest security enhancements and performance improvements. |
| V-279111 | medium | ColdFusion must have CFIDE blocked in the uriworkermap.properties file. | CFIDE is a directory used by ColdFusion for administrative and development purposes. If access to CFIDE is not properly restricted, it can expose sensitive administrative interfaces and development tools to unauthorized users. This can lead to potential security breaches, including unauthorized access to the ColdFusion Administrator, exposure of sensitive configuration information, and the ability to execute arbitrary code. By blocking access to CFIDE in the uriworkermap.properties file, the ColdFusion server ensures that these critical resources are protected from unauthorized access. Regularly verifying and enforcing the blocking of CFIDE is essential for maintaining a secure server environment and preventing potential security vulnerabilities. |
| V-279112 | medium | ColdFusion must include only approved trust anchors in trust stores or certificate stores managed by the organization. | Trust stores and certificate stores in ColdFusion are used to validate the authenticity of digital certificates during secure communications. If these stores include unapproved or rogue trust anchors they introduce the risk of trusting malicious or compromised certificates. This can lead to man-in-the-middle (MitM) attacks, spoofing of trusted services, or unauthorized data decryption.
Only including approved trust anchors ensures that ColdFusion trusts only vetted entities for secure communications. This protects against the installation of unauthorized certificates that could be used to intercept or manipulate encrypted traffic.
Maintaining strict control over which trust anchors are included in ColdFusion's trust and certificate stores is essential to upholding the integrity and confidentiality of system communications. It also ensures alignment with enterprise Public Key Infrastructure (PKI) policies and reduces the risk of inadvertently trusting a compromised or untrusted source. |
| V-279129 | medium | ColdFusion must not install the Performance Monitoring Toolset (PMT) Agent Package. | The ColdFusion Performance Monitoring Toolset (PMT) Agent Package provides instrumentation and profiling capabilities that, while useful for performance troubleshooting, introduce unnecessary risk in a DOD environment. The PMT agent collects, stores, and transmits detailed information about ColdFusion server activity, queries, and application behavior. If deployed in production, this agent can inadvertently expose sensitive system details, execution paths, or database query patterns to unauthorized individuals.
The PMT Agent Package increases the attack surface by adding additional components, services, and ports that must be secured, monitored, and patched. Improperly configured or unmonitored PMT agents could allow adversaries to gain insights into application internals, conduct reconnaissance, or pivot toward exploiting ColdFusion services.
By prohibiting the installation of the PMT Agent Package, system administrators reduce complexity, limit potential vulnerabilities, and enforce the principle of least functionality. |
| V-279030 | low | ColdFusion must limit concurrent sessions to the Administrator Console. | The ColdFusion Administrator Console provides critical functionality for managing the ColdFusion application server. Allowing concurrent logins to the Administrator Console increases the risk of unauthorized access and account compromise. Disabling concurrent logins ensures that only one active session per user is allowed. This restriction provides a security benefit by alerting users to potential account compromise: If a user is unexpectedly logged out due to a new session being initiated, it may indicate unauthorized use of their credentials. |
| V-279033 | low | ColdFusion must not have local users. | To maintain accountability and enforce access control policies, ColdFusion must require each user to authenticate using a unique account. Shared or generic accounts prevent the ability to associate user actions with specific individuals, which undermines auditing, accountability, and incident response capabilities. Unique user accounts ensure that each action taken within the ColdFusion environment can be attributed to a specific, identifiable user. This is essential for detecting misuse, investigating anomalies, and ensuring compliance with security policies. |
| V-279034 | low | ColdFusion must produce log records containing information to establish what type of events occurred. | Without sufficient logging of events, including information about what type of event occurred, it is difficult to detect, understand, or respond to suspicious or unauthorized activity within the ColdFusion application server.
Comprehensive event logging is essential to support auditing, troubleshooting, and forensic analysis. ColdFusion must generate log records that capture key attributes of events, such as event type, source, outcome, and affected components. This information enables security personnel to determine the nature of an event, assess its impact, and trace it back to a user or process. Failure to produce detailed and complete logs can result in missed detection of security incidents, hinder incident response efforts, and reduce overall situational awareness.
Satisfies: SRG-APP-000095-AS-000056, SRG-APP-000096-AS-000059, SRG-APP-000097-AS-000060, SRG-APP-000098-AS-000061, SRG-APP-000099-AS-000062, SRG-APP-000100-AS-000063, SRG-APP-000101-AS-000072 |
| V-279035 | low | ColdFusion must log scheduled tasks. | Logging scheduled tasks in ColdFusion is essential for detecting unauthorized or unexpected behavior, ensuring task execution integrity, and supporting forensic investigations.
Scheduled tasks can be used to automate critical operations, including data transfers, script executions, or maintenance routines. If these tasks are not properly logged, malicious or erroneous activities may go undetected. For example, an attacker could schedule a task to exfiltrate data or alter application configurations without immediate notice. Recording details such as task name, execution time, user context, success or failure status, and any associated errors provides administrators with the necessary information to monitor system behavior, identify anomalies, and maintain accountability. |
| V-279037 | low | The ColdFusion file ownership and permissions must be restricted to prevent unauthorized access to log tools. | Log management tools within ColdFusion provide access to view, analyze, and sometimes modify application log data. If file ownership and permissions for these tools are not properly restricted, unauthorized users could gain access to audit logs, modify or delete critical records, or bypass detection mechanisms. This not only compromises the integrity and availability of audit data but also undermines the organization's ability to detect and respond to security incidents. Properly assigning file ownership and enforcing least privilege permissions ensures that only authorized administrators or service accounts have access to these tools. This reduces the risk of log tampering or exposure of sensitive information.
Satisfies: SRG-APP-000121-AS-000081, SRG-APP-000122-AS-000082, SRG-APP-000123-AS-000083 |
| V-279043 | low | ColdFusion must have example services removed. | ColdFusion is installed with sample data services, gateway services, collections, and mappings. These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issues. Allowing them to be available on a production system provides a gateway to an attacker to ColdFusion and to systems connected to ColdFusion. To correct this issue, sample code and services must be deleted. |
| V-279046 | low | ColdFusion must have Central Configuration Server (CCS) disabled. | The ColdFusion CCS is a feature used to synchronize configuration settings across multiple ColdFusion instances. Leaving CCS enabled in a production environment especially when it is not actively used introduces unnecessary risk. If improperly secured or misconfigured, CCS can allow unauthorized access to critical configuration settings, leading to configuration drift, exposure of sensitive information, or even system compromise across multiple instances.
Disabling CCS when not explicitly required helps reduce the application server's attack surface, ensures tighter control over system configurations, and limits the potential vectors for lateral movement within the environment. |
| V-279047 | low | ColdFusion must have only approved Tomcat connectors enabled. | Tomcat connectors define how ColdFusion communicates with clients and other services, typically over HTTP, HTTPS, or AJP protocols. Enabling unnecessary or unapproved connectors increases the attack surface and may expose the server to vulnerabilities associated with those protocols.
To minimize risk, only approved and secure Tomcat connectors should be enabled in ColdFusion. All others must be disabled or removed from the configuration. This reduces the number of potential entry points for an attacker and helps enforce the principle of least functionality. |
| V-279048 | low | ColdFusion must have Tomcat configured with deployXML disabled. | The deployXML setting in Tomcat controls whether the server will automatically deploy and process context.xml files found within web application directories. When enabled, this feature allows web applications to define their own context-level configurations, which may override secure global settings or introduce insecure configurations without administrator knowledge or oversight.
Allowing applications to self-deploy XML configuration files increases the risk of misconfiguration, privilege escalation, or malicious reconfiguration. Disabling deployXML enforces centralized control over context configurations, reduces the risk of insecure deployments, and aligns with the principle of least functionality. |
| V-279049 | low | ColdFusion must be configured with autoDeploy disabled. | ColdFusion uses Tomcat for HTTP and AJP connectivity. Tomcat allows auto-deployment of applications while Tomcat is running. This can allow untested or malicious applications to be automatically loaded into production. AutoDeploy must be disabled in production. This requirement is NA for test and development systems on nonproduction networks. |
| V-279051 | low | ColdFusion must have the sample data directories removed. | ColdFusion is installed with directories that contain sample code, data, and services. These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issues. Allowing them to be available on a production system provides a gateway to an attacker to ColdFusion and to those systems connected to ColdFusion. To alleviate this issue, sample code, data, and services must be deleted. |
| V-279052 | low | ColdFusion must have the CFSTAT feature disabled when not in use. | Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DOD system. ColdFusion offers the CFSTAT command-line utility to retrieve real-time performance metrics for the system. This feature uses a socket connection to obtain the metrics which can also be used by an attacker to observe privileged information about the system and must be disabled if not in use. |
| V-279076 | low | ColdFusion must allocate log record storage capacity. | Proper management of log records not only dictates proper archiving processes and procedures be established, but it also requires allocating enough storage space to maintain the logs online for a defined period of time.
If adequate online log storage capacity is not maintained, intrusion monitoring, security investigations, and forensic analysis can be negatively affected.
It is important to keep a defined amount of logs online and readily available for investigative purposes. The logs may be stored on ColdFusion until they can be archived to a log system or, in some instances, a Storage Area Network (SAN). Regardless of the method used, log record storage capacity must be sufficient to store log data when the data cannot be off-loaded to a log system or a SAN.
ColdFusion handles logs by allowing the administrator to specify a log file size and how many archives to keep online. This allows the administrator to correctly size the storage needed to meet the requirements of the organization for how log audit files should be available online and configure the storage needed to meet the requirement before off-loading archives to offline storage. |