The ColdFusion built-in Tomcat Web Server must use FIPS-validated ciphers on secured connectors.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279031	SRG-APP-000015-AS-000010	APAS-CF-000010	SV-279031r1171492_rule	2025-12-19	1

Description
Using only FIPS 140-2/140-3 or higher approved cryptographic modules for encryption helps ensure the confidentiality and integrity of transmitted data. Allowing using non-FIPS-approved or outdated encryption modules increases the attack surface and exposes the system to known vulnerabilities. Attacks such as POODLE and its variants exploit weaknesses in noncompliant cryptographic protocols by forcing HTTPS communications to downgrade to insecure cipher suites. This allows an attacker to decrypt sensitive data through man-in-the-middle techniques. Enforcing FIPS 140-2/140-3 and higher validated modules mitigates this risk by preventing fallback to weak encryption algorithms.

Description

Using only FIPS 140-2/140-3 or higher approved cryptographic modules for encryption helps ensure the confidentiality and integrity of transmitted data. Allowing using non-FIPS-approved or outdated encryption modules increases the attack surface and exposes the system to known vulnerabilities. Attacks such as POODLE and its variants exploit weaknesses in noncompliant cryptographic protocols by forcing HTTPS communications to downgrade to insecure cipher suites. This allows an attacker to decrypt sensitive data through man-in-the-middle techniques. Enforcing FIPS 140-2/140-3 and higher validated modules mitigates this risk by preventing fallback to weak encryption algorithms.

ℹ️ Check
Verify FIPS Mode in Configuration. 1. For each ColdFusion instance, locate the server.xml file in the following directory: <ColdFusion Install Directory>\runtime\conf 2. Open server.xml. 3. Search for the <Listener> tag for AprLifecycleListener, confirm that it includes the attribute: fipsmode="on" If the fipsmode="on" attribute is not present, this is a finding. 4. Verify FIPS Mode at Runtime. After starting ColdFusion, open the coldfusion-error.log file. 5. Search for the term "fipsmode". 6. Check for the following message: failed to set property[FIPSMODE] to [on] If this error message is present in the log, this is a finding.

ℹ️ Check

Verify FIPS Mode in Configuration. 1. For each ColdFusion instance, locate the server.xml file in the following directory: <ColdFusion Install Directory>\runtime\conf 2. Open server.xml. 3. Search for the <Listener> tag for AprLifecycleListener, confirm that it includes the attribute: fipsmode="on" If the fipsmode="on" attribute is not present, this is a finding. 4. Verify FIPS Mode at Runtime. After starting ColdFusion, open the coldfusion-error.log file. 5. Search for the term "fipsmode". 6. Check for the following message: failed to set property[FIPSMODE] to [on] If this error message is present in the log, this is a finding.

✔️ Fix
1. Enable FIPS Mode in Tomcat by editing the Tomcat server.xml configuration file. 2. From the Tomcat server, log in as a privileged user, open the server.xml file: sudo nano $CATALINA_BASE/conf/server.xml 3. Locate or add the <Listener> element for AprLifecycleListener. 4. Ensure the element includes the FIPSMode="on" attribute. Example configuration: <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" FIPSMode="on" /> 5. Save and close the file. 6. Restart ColdFusion to apply the changes. 7. Check coldfusion-error.log after startup to confirm there are no errors indicating failure to set FIPSMode.

✔️ Fix

1. Enable FIPS Mode in Tomcat by editing the Tomcat server.xml configuration file. 2. From the Tomcat server, log in as a privileged user, open the server.xml file: sudo nano $CATALINA_BASE/conf/server.xml 3. Locate or add the <Listener> element for AprLifecycleListener. 4. Ensure the element includes the FIPSMode="on" attribute. Example configuration: <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" FIPSMode="on" /> 5. Save and close the file. 6. Restart ColdFusion to apply the changes. 7. Check coldfusion-error.log after startup to confirm there are no errors indicating failure to set FIPSMode.