ColdFusion must have Tomcat configured with deployXML disabled.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-279048	SRG-APP-000141-AS-000095	APAS-CF-000255	SV-279048r1171516_rule	2025-12-19	1

Description
The deployXML setting in Tomcat controls whether the server will automatically deploy and process context.xml files found within web application directories. When enabled, this feature allows web applications to define their own context-level configurations, which may override secure global settings or introduce insecure configurations without administrator knowledge or oversight. Allowing applications to self-deploy XML configuration files increases the risk of misconfiguration, privilege escalation, or malicious reconfiguration. Disabling deployXML enforces centralized control over context configurations, reduces the risk of insecure deployments, and aligns with the principle of least functionality.

Description

The deployXML setting in Tomcat controls whether the server will automatically deploy and process context.xml files found within web application directories. When enabled, this feature allows web applications to define their own context-level configurations, which may override secure global settings or introduce insecure configurations without administrator knowledge or oversight. Allowing applications to self-deploy XML configuration files increases the risk of misconfiguration, privilege escalation, or malicious reconfiguration. Disabling deployXML enforces centralized control over context configurations, reduces the risk of insecure deployments, and aligns with the principle of least functionality.

ℹ️ Check
DeployXML Configuration in server.xml. 1. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Review the server.xml configuration by opening the server.xml file in a text editor. 3. Search for all <Host> elements. 4. Check the deployXML attribute. Inspect each <Host> element for the deployXML setting. If any <Host> element has "deployXML="true"", this is a finding.

ℹ️ Check

DeployXML Configuration in server.xml. 1. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Review the server.xml configuration by opening the server.xml file in a text editor. 3. Search for all <Host> elements. 4. Check the deployXML attribute. Inspect each <Host> element for the deployXML setting. If any <Host> element has "deployXML="true"", this is a finding.

✔️ Fix
Disable deployXML in server.xml. 1. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Before making any changes, create a backup copy of the file. Windows Example: copy server.xml server.xml.bak Linux Example: cp server.xml server.xml.bak 3. Edit the configuration by opening server.xml in a text editor with administrative privileges. 4. Locate all <Host> elements with: deployXML="true" 5. Change all attributes to: deployXML="false" 6. Restart ColdFusion to apply the configuration changes. 7. Confirm that ColdFusion services started successfully. 8. Reopen server.xml to confirm that deployXML="false" is set for all <Host> elements.

✔️ Fix

Disable deployXML in server.xml. 1. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Before making any changes, create a backup copy of the file. Windows Example: copy server.xml server.xml.bak Linux Example: cp server.xml server.xml.bak 3. Edit the configuration by opening server.xml in a text editor with administrative privileges. 4. Locate all <Host> elements with: deployXML="true" 5. Change all attributes to: deployXML="false" 6. Restart ColdFusion to apply the configuration changes. 7. Confirm that ColdFusion services started successfully. 8. Reopen server.xml to confirm that deployXML="false" is set for all <Host> elements.