Before installing or upgrading ColdFusion, the integrity of the installation package must be manually verified.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279038	SRG-APP-000131-AS-000002	APAS-CF-000171	SV-279038r1171464_rule	2025-12-19	1

Description
The hash verification process must be performed using an approved hashing algorithm to ensure the package has not been altered, tampered with, or corrupted during transfer. If the computed hash does not exactly match the official vendor hash, the installation or upgrade must not proceed, and the discrepancy must be investigated and resolved prior to deployment. Failure to verify the cryptographic hash of ColdFusion installation or upgrade packages exposes the system to potential compromise. A malicious actor could modify the package to include backdoors, vulnerabilities, or unauthorized code. If the altered package is installed, it may provide an attacker with privileged access to the system, compromise sensitive data, or disrupt operations. Manually verifying the vendor-provided hash ensures the authenticity and integrity of the package before installation, protecting against supply chain attacks and unauthorized modifications.

Description

The hash verification process must be performed using an approved hashing algorithm to ensure the package has not been altered, tampered with, or corrupted during transfer. If the computed hash does not exactly match the official vendor hash, the installation or upgrade must not proceed, and the discrepancy must be investigated and resolved prior to deployment. Failure to verify the cryptographic hash of ColdFusion installation or upgrade packages exposes the system to potential compromise. A malicious actor could modify the package to include backdoors, vulnerabilities, or unauthorized code. If the altered package is installed, it may provide an attacker with privileged access to the system, compromise sensitive data, or disrupt operations. Manually verifying the vendor-provided hash ensures the authenticity and integrity of the package before installation, protecting against supply chain attacks and unauthorized modifications.

ℹ️ Check
Verify hash by obtaining the official cryptographic hash for the ColdFusion installation or upgrade package from the Adobe-provided source. 1. On the system where the package is stored, compute the hash value using an approved tool (e.g., certutil on Windows or sha256sum on Linux). Windows Example: certutil -hashfile ColdFusionInstaller.exe SHA256 Linux Example: sha256sum ColdFusionInstaller.bin 2. Compare the computed hash against the vendor-provided hash value. If the computed hash does not exactly match the vendor-provided hash, this is a finding. If there is no documented evidence that a manual hash verification was performed prior to installation or upgrade, this is a finding.

ℹ️ Check

Verify hash by obtaining the official cryptographic hash for the ColdFusion installation or upgrade package from the Adobe-provided source. 1. On the system where the package is stored, compute the hash value using an approved tool (e.g., certutil on Windows or sha256sum on Linux). Windows Example: certutil -hashfile ColdFusionInstaller.exe SHA256 Linux Example: sha256sum ColdFusionInstaller.bin 2. Compare the computed hash against the vendor-provided hash value. If the computed hash does not exactly match the vendor-provided hash, this is a finding. If there is no documented evidence that a manual hash verification was performed prior to installation or upgrade, this is a finding.

✔️ Fix
1. Obtain the official vendor-provided cryptographic hash for the ColdFusion installation or upgrade package. 2. Before installation or upgrade, compute the hash value locally using an approved tool (e.g., certutil or sha256sum). 3. Compare the computed hash against the vendor-provided hash. a. If the values match, proceed with installation or upgrade. b. If the values do not match, do not proceed. Redownload the package from a trusted source and reverify until the hash matches. 4. Maintain documentation of the verification process for auditing purposes.

✔️ Fix

1. Obtain the official vendor-provided cryptographic hash for the ColdFusion installation or upgrade package. 2. Before installation or upgrade, compute the hash value locally using an approved tool (e.g., certutil or sha256sum). 3. Compare the computed hash against the vendor-provided hash. a. If the values match, proceed with installation or upgrade. b. If the values do not match, do not proceed. Redownload the package from a trusted source and reverify until the hash matches. 4. Maintain documentation of the verification process for auditing purposes.