ColdFusion must restrict unauthorized remote access to the ColdFusion Administrator Console and ensure all ports used are approved and properly secured.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279054	SRG-APP-000142-AS-000014	APAS-CF-000300	SV-279054r1171443_rule	2025-12-19	1

Description
Some networking protocols may not meet organizational security requirements to protect data and components. ColdFusion may host a number of various features, such as the Administrator Console, data sources, and various services. These features all run on TCPIP ports and protocols. This creates the potential for the vendor or ColdFusion administrator to use port numbers or protocols that have been deemed unusable by the organization. When ports or protocols are used that are not secure or authorized by the organization, the ColdFusion feature must be reconfigured to use an authorized port and protocol. For a list of approved ports and protocols, reference the DOD ports and protocols web site at https://powhatan.iiie.disa.mil/ports/cal.html.

Description

Some networking protocols may not meet organizational security requirements to protect data and components. ColdFusion may host a number of various features, such as the Administrator Console, data sources, and various services. These features all run on TCPIP ports and protocols. This creates the potential for the vendor or ColdFusion administrator to use port numbers or protocols that have been deemed unusable by the organization. When ports or protocols are used that are not secure or authorized by the organization, the ColdFusion feature must be reconfigured to use an authorized port and protocol. For a list of approved ports and protocols, reference the DOD ports and protocols web site at https://powhatan.iiie.disa.mil/ports/cal.html.

ℹ️ Check
Verify that remote access to the ColdFusion Administrator Console is appropriately restricted and that all configured ports, including WebSocket configurations, comply with approved organizational policies. 1. Validate Access Scope to the Administrator Console. 2. Identify whether the ColdFusion Administrator Console is accessible via any IP address other than localhost. 3. If remote (nonlocalhost) access is possible, confirm whether the server is designated for remote administration. If remote access is enabled on a server intended for local administration only, this is a finding. 4. Confirm Administrator Console Port Compliance. Access the ColdFusion Administrator Console in a web browser. If the URL specifies a port number, verify the port is approved per organizational policy. If an unapproved port is used, this is a finding. 5. Review Data & Services Connection Ports. From the Admin Console Landing Screen, navigate to Data & Services. 6. For each tab, review port configurations for all connections and services. If any service is configured to use a nonapproved port, this is a finding.

ℹ️ Check

Verify that remote access to the ColdFusion Administrator Console is appropriately restricted and that all configured ports, including WebSocket configurations, comply with approved organizational policies. 1. Validate Access Scope to the Administrator Console. 2. Identify whether the ColdFusion Administrator Console is accessible via any IP address other than localhost. 3. If remote (nonlocalhost) access is possible, confirm whether the server is designated for remote administration. If remote access is enabled on a server intended for local administration only, this is a finding. 4. Confirm Administrator Console Port Compliance. Access the ColdFusion Administrator Console in a web browser. If the URL specifies a port number, verify the port is approved per organizational policy. If an unapproved port is used, this is a finding. 5. Review Data & Services Connection Ports. From the Admin Console Landing Screen, navigate to Data & Services. 6. For each tab, review port configurations for all connections and services. If any service is configured to use a nonapproved port, this is a finding.

✔️ Fix
Restrict unauthorized remote access to the ColdFusion Administrator Console and ensure all ports used, including WebSocket configurations, are approved and properly secured. If the ColdFusion server is to be administered locally only: 1. Locate the server.xml file for ColdFusion. Linux: <ColdFusion Install Directory>/runtime/conf/server.xml Windows: <ColdFusion Install Directory>\runtime\conf\server.xml 2. Create a backup copy of server.xml before making changes. 3. Edit the file and update all <Connector> tags for HTTP and HTTPS to include: address="127.0.0.1" (This restricts access to the local server only.) 4. Restart ColdFusion to apply the changes. 5. Verify that the ColdFusion Administrator Console is accessible only from the local server and not from any external IP addresses. 6. If local access is confirmed, remove the backup file to avoid configuration confusion. 7. For any "Data & Services" configurations using unapproved ports: a. Reconfigure all affected services or data connections to use approved ports in accordance with organizational policy. b. Save changes and restart services.

✔️ Fix

Restrict unauthorized remote access to the ColdFusion Administrator Console and ensure all ports used, including WebSocket configurations, are approved and properly secured. If the ColdFusion server is to be administered locally only: 1. Locate the server.xml file for ColdFusion. Linux: <ColdFusion Install Directory>/runtime/conf/server.xml Windows: <ColdFusion Install Directory>\runtime\conf\server.xml 2. Create a backup copy of server.xml before making changes. 3. Edit the file and update all <Connector> tags for HTTP and HTTPS to include: address="127.0.0.1" (This restricts access to the local server only.) 4. Restart ColdFusion to apply the changes. 5. Verify that the ColdFusion Administrator Console is accessible only from the local server and not from any external IP addresses. 6. If local access is confirmed, remove the backup file to avoid configuration confusion. 7. For any "Data & Services" configurations using unapproved ports: a. Reconfigure all affected services or data connections to use approved ports in accordance with organizational policy. b. Save changes and restart services.