ColdFusion must have only approved Tomcat connectors enabled.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-279047	SRG-APP-000141-AS-000095	APAS-CF-000250	SV-279047r1171513_rule	2025-12-19	1

Description
Tomcat connectors define how ColdFusion communicates with clients and other services, typically over HTTP, HTTPS, or AJP protocols. Enabling unnecessary or unapproved connectors increases the attack surface and may expose the server to vulnerabilities associated with those protocols. To minimize risk, only approved and secure Tomcat connectors should be enabled in ColdFusion. All others must be disabled or removed from the configuration. This reduces the number of potential entry points for an attacker and helps enforce the principle of least functionality.

Description

Tomcat connectors define how ColdFusion communicates with clients and other services, typically over HTTP, HTTPS, or AJP protocols. Enabling unnecessary or unapproved connectors increases the attack surface and may expose the server to vulnerabilities associated with those protocols. To minimize risk, only approved and secure Tomcat connectors should be enabled in ColdFusion. All others must be disabled or removed from the configuration. This reduces the number of potential entry points for an attacker and helps enforce the principle of least functionality.

ℹ️ Check
Review SSP for list of approved connectors and associated TCP/IP ports. Verify only approved connectors are present. 1. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Open the server.xml file in a text editor. Locate the "Connector" tags that are not commented out. 3. Verify all connectors and their associated network ports are approved in the system security plan (SSP). If connectors are found but are not approved in the SSP, this is a finding.

ℹ️ Check

Review SSP for list of approved connectors and associated TCP/IP ports. Verify only approved connectors are present. 1. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Open the server.xml file in a text editor. Locate the "Connector" tags that are not commented out. 3. Verify all connectors and their associated network ports are approved in the system security plan (SSP). If connectors are found but are not approved in the SSP, this is a finding.

✔️ Fix
1. Obtain information system security officer (ISSO) approvals for the configured connectors and document in the SSP. 2. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 3. Create a backup of this file. 4. Edit the file and remove any unapproved connectors by deleting the "Connector" tag or using XML syntax to comment out the configuration. XML comment syntax starts with <!-- and ends with -->

✔️ Fix

1. Obtain information system security officer (ISSO) approvals for the configured connectors and document in the SSP. 2. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 3. Create a backup of this file. 4. Edit the file and remove any unapproved connectors by deleting the "Connector" tag or using XML syntax to comment out the configuration. XML comment syntax starts with