ColdFusion must be configured with autoDeploy disabled.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| low | V-279049 | SRG-APP-000141-AS-000095 | APAS-CF-000260 | SV-279049r1171519_rule | 2025-12-19 | 1 |
| Description |
|---|
| ColdFusion uses Tomcat for HTTP and AJP connectivity. Tomcat allows auto-deployment of applications while Tomcat is running. This can allow untested or malicious applications to be automatically loaded into production. AutoDeploy must be disabled in production. This requirement is NA for test and development systems on nonproduction networks. |
| ℹ️ Check |
|---|
| Review the autoDeploy configuration in server.xml. 1. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Review the server.xml configuration by opening the server.xml file in a text editor. 3. Search for all <Host> elements. 4. Check the autoDeploy Attribute. Inspect each <Host> element for the autoDeploy setting. If any <Host> element has "autoDeploy="true"", this is a finding. |
| ✔️ Fix |
|---|
| Disable autoDeploy in server.xml. 1. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Before making any changes, create a backup copy of the file. Windows Example: copy server.xml server.xml.bak Linux Example: cp server.xml server.xml.bak 3. Edit the configuration by opening server.xml in a text editor with administrative privileges. 4. Locate all <Host> elements with: autoDeploy="true" 5. Change all attributes to: autoDeploy="false" 6. Restart ColdFusion to apply the configuration changes. 7. Confirm that ColdFusion services started successfully. 8. Reopen server.xml to confirm that autoDeploy="false" is set for all <Host> elements. |