ColdFusion must configure WebSocket Service.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279040	SRG-APP-000141-AS-000095	APAS-CF-000190	SV-279040r1171341_rule	2025-12-19	1

Description
Application servers provide a wide range of features and services, many of which may not be necessary or secure for a production DOD environment. One such feature is the ColdFusion WebSocket Service, which supports real-time, bidirectional communication for applications such as dashboards, online gaming, social networking, and live data feeds. This service communicates over HTTP or HTTPS using a proxy or the built-in WebSocket server. When enabled, the WebSocket Service consumes system resources and may introduce security risks if not properly configured or if left unused. These risks include unauthorized access, input injection, session hijacking, and the ability to bypass traditional security controls such as firewalls and proxies. If the WebSocket service is not actively required by hosted applications, it should be disabled to free up system resources and reduce the overall attack surface. When used, the WebSocket service must be securely configured. Satisfies: SRG-APP-000141-AS-000095, SRG-APP-000172-AS-000120, SRG-APP-000435-AS-000163, SRG-APP-000442-AS-000259

Description

Application servers provide a wide range of features and services, many of which may not be necessary or secure for a production DOD environment. One such feature is the ColdFusion WebSocket Service, which supports real-time, bidirectional communication for applications such as dashboards, online gaming, social networking, and live data feeds. This service communicates over HTTP or HTTPS using a proxy or the built-in WebSocket server. When enabled, the WebSocket Service consumes system resources and may introduce security risks if not properly configured or if left unused. These risks include unauthorized access, input injection, session hijacking, and the ability to bypass traditional security controls such as firewalls and proxies. If the WebSocket service is not actively required by hosted applications, it should be disabled to free up system resources and reduce the overall attack surface. When used, the WebSocket service must be securely configured. Satisfies: SRG-APP-000141-AS-000095, SRG-APP-000172-AS-000120, SRG-APP-000435-AS-000163, SRG-APP-000442-AS-000259

ℹ️ Check
Verify the ColdFusion WebSocket configuration. 1. From the Admin Console Landing Screen, navigate to Server Settings >> WebSocket. If the "websocket" package is not installed, this is Not Applicable. 2. If "Enable WebSocket Service" is checked: If "Use Proxy" is selected and the "Port" setting is checked, this is a finding. Non-SSL WebSocket is not permitted. 3. If "Use Built-in WebSocket Server" is selected and the "Port" setting is checked, this is a finding. Non-SSL WebSocket is not permitted. 4. If SSL Port is not checked, this is a finding. 5. Verify SSL Port is an approved port. If not, this is a finding. 6. If "Start Flash Policy Server" is checked, this is a finding. 7. If "Max Data Size" is over the required maximum size, this is a finding.

ℹ️ Check

Verify the ColdFusion WebSocket configuration. 1. From the Admin Console Landing Screen, navigate to Server Settings >> WebSocket. If the "websocket" package is not installed, this is Not Applicable. 2. If "Enable WebSocket Service" is checked: If "Use Proxy" is selected and the "Port" setting is checked, this is a finding. Non-SSL WebSocket is not permitted. 3. If "Use Built-in WebSocket Server" is selected and the "Port" setting is checked, this is a finding. Non-SSL WebSocket is not permitted. 4. If SSL Port is not checked, this is a finding. 5. Verify SSL Port is an approved port. If not, this is a finding. 6. If "Start Flash Policy Server" is checked, this is a finding. 7. If "Max Data Size" is over the required maximum size, this is a finding.

✔️ Fix
Configure ColdFusion WebSocket. 1. From the Admin Console Landing Screen, navigate to Server Settings >> WebSocket. 2. If "Use Proxy" is selected, uncheck "Port" to disable non-SSL WebSocket connections. Non-SSL WebSocket is not permitted. 3. If "Use Built-in WebSocket Server" is selected, uncheck "Port" to disable non-SSL WebSocket connections. Non-SSL WebSocket is not permitted. 4. Enable encryption by checking "SSL Port" and enter an approved port value. 5. Enter keystore and password. 6. Uncheck the "Start Flash Policy Server". 7. Set the "Max Data Size" to the default setting of 1024 or to the required maximum size for the hosted applications. 8. Select "Submit Changes".

✔️ Fix

Configure ColdFusion WebSocket. 1. From the Admin Console Landing Screen, navigate to Server Settings >> WebSocket. 2. If "Use Proxy" is selected, uncheck "Port" to disable non-SSL WebSocket connections. Non-SSL WebSocket is not permitted. 3. If "Use Built-in WebSocket Server" is selected, uncheck "Port" to disable non-SSL WebSocket connections. Non-SSL WebSocket is not permitted. 4. Enable encryption by checking "SSL Port" and enter an approved port value. 5. Enter keystore and password. 6. Uncheck the "Start Flash Policy Server". 7. Set the "Max Data Size" to the default setting of 1024 or to the required maximum size for the hosted applications. 8. Select "Submit Changes".