Critical ColdFusion directories must have secure file system permissions and ownership.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279039	SRG-APP-000133-AS-000092	APAS-CF-000175	SV-279039r1171605_rule	2025-12-19	1

Description
Controlling the overall security posture of the server encompasses controlling the patches and versions of the software running within the production environment. Patches are installed to fix security and bug issues. Vendors will often supply a feature to uninstall the patch in the event the patch does not install correctly, if the patch causes issues with hosted applications, or if the patch contains issues not found during testing. The uninstall feature is meant to be used by a system administrator (SA) to maintain a secure and stable system. In the event an attacker gains access to the uninstall functionality, they can then attempt to revert the system to an unsecure version which may have known and documented attacks that can be successful to compromise ColdFusion. To protect against this type of attack and to further define roles for users, access to the patch management functionality is important. Proper protection is performed through assigning the appropriate roles to the users of the Administrator Console and through the least privileged permissions assigned at the OS level.

Description

Controlling the overall security posture of the server encompasses controlling the patches and versions of the software running within the production environment. Patches are installed to fix security and bug issues. Vendors will often supply a feature to uninstall the patch in the event the patch does not install correctly, if the patch causes issues with hosted applications, or if the patch contains issues not found during testing. The uninstall feature is meant to be used by a system administrator (SA) to maintain a secure and stable system. In the event an attacker gains access to the uninstall functionality, they can then attempt to revert the system to an unsecure version which may have known and documented attacks that can be successful to compromise ColdFusion. To protect against this type of attack and to further define roles for users, access to the patch management functionality is important. Proper protection is performed through assigning the appropriate roles to the users of the Administrator Console and through the least privileged permissions assigned at the OS level.

ℹ️ Check
Verify critical ColdFusion directories have secure file system permissions and ownership appropriate to the operating system and deployment model. 1. Locate the following directories within the ColdFusion installation for each ColdFusion instance: <ColdFusion_Install>\bundles <ColdFusion_Instance>\bin <ColdFusion_Instance>\lib <ColdFusion_Instance>\runtime\lib <ColdFusion_Instance>\wwwroot\WEB-INF\lib 2. For ColdFusion running on Windows, each of the above directories must have "Full Control" granted to: - The Administrators group. - The user account running ColdFusion. If any directory or file within these paths has incorrect permissions, this is a finding. 3. For ColdFusion running on Linux, each directory must meet the following criteria: - Owner: The user account running ColdFusion. - Group ownership: root. - Permissions: Set to 740 or more restrictive. If the ownership or permissions on any directory or file are incorrect, this is a finding.

ℹ️ Check

Verify critical ColdFusion directories have secure file system permissions and ownership appropriate to the operating system and deployment model. 1. Locate the following directories within the ColdFusion installation for each ColdFusion instance: <ColdFusion_Install>\bundles <ColdFusion_Instance>\bin <ColdFusion_Instance>\lib <ColdFusion_Instance>\runtime\lib <ColdFusion_Instance>\wwwroot\WEB-INF\lib 2. For ColdFusion running on Windows, each of the above directories must have "Full Control" granted to: - The Administrators group. - The user account running ColdFusion. If any directory or file within these paths has incorrect permissions, this is a finding. 3. For ColdFusion running on Linux, each directory must meet the following criteria: - Owner: The user account running ColdFusion. - Group ownership: root. - Permissions: Set to 740 or more restrictive. If the ownership or permissions on any directory or file are incorrect, this is a finding.

✔️ Fix
Update ownership and permissions on ColdFusion directories. 1. Locate the following directories in the ColdFusion installation and in each ColdFusion instance: - bundles - bin - lib - runtime\lib - wwwroot\WEB-INF\lib 2. For ColdFusion running on Windows, right-click the directory (e.g., lib) and select "Properties". 3. Select the Security tab and then click "Advanced". 4. On the Permissions tab, click "Disable inheritance" and select "Remove all inherited permissions from this object". 5. Click "Add". - In the Permission Entry dialog, click "Select a principal". - Enter the user account running the ColdFusion service. - Grant full control and then click "OK". 6. Click "Add" again. - In the Permission Entry dialog, click "Select a principal". - Enter the Administrators group. - Grant full control and then click "OK". 7. Check "Replace all child object permission entries with inheritable permission entries from this object". 8. Click "OK" to apply the permissions. 9. Repeat these steps for each of the listed directories. 10. For ColdFusion running on Linux, for each directory (e.g., /opt/ColdFusion2023/cfusion/lib), set ownership and permissions using the following commands, replacing cfuser with the user running ColdFusion: chown -R <cfuser>:root /path/to/directory chmod -R 740 /path/to/directory 11. Repeat these commands for each of the identified directories (bundles, bin, lib, runtime/lib, wwwroot/WEB-INF/lib).

✔️ Fix

Update ownership and permissions on ColdFusion directories. 1. Locate the following directories in the ColdFusion installation and in each ColdFusion instance: - bundles - bin - lib - runtime\lib - wwwroot\WEB-INF\lib 2. For ColdFusion running on Windows, right-click the directory (e.g., lib) and select "Properties". 3. Select the Security tab and then click "Advanced". 4. On the Permissions tab, click "Disable inheritance" and select "Remove all inherited permissions from this object". 5. Click "Add". - In the Permission Entry dialog, click "Select a principal". - Enter the user account running the ColdFusion service. - Grant full control and then click "OK". 6. Click "Add" again. - In the Permission Entry dialog, click "Select a principal". - Enter the Administrators group. - Grant full control and then click "OK". 7. Check "Replace all child object permission entries with inheritable permission entries from this object". 8. Click "OK" to apply the permissions. 9. Repeat these steps for each of the listed directories. 10. For ColdFusion running on Linux, for each directory (e.g., /opt/ColdFusion2023/cfusion/lib), set ownership and permissions using the following commands, replacing cfuser with the user running ColdFusion: chown -R <cfuser>:root /path/to/directory chmod -R 740 /path/to/directory 11. Repeat these commands for each of the identified directories (bundles, bin, lib, runtime/lib, wwwroot/WEB-INF/lib).