ColdFusion must only transmit encrypted representations of passwords to the caching server.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-279061 | SRG-APP-000172-AS-000120 | APAS-CF-000360 | SV-279061r1171537_rule | 2025-12-19 | 1 |
| Description |
|---|
| Redis is an in-memory data structure store used as a database, cache, and message broker. When data is transmitted between ColdFusion and the Redis caching server without encryption, it is vulnerable to interception and unauthorized access. This can lead to the exposure of sensitive information, including cached data, session information, and other confidential data. By requiring the Redis caching server connection to use encryption for data transmission, ColdFusion ensures that the credentials and data are protected from eavesdropping and tampering. This practice helps maintain the confidentiality and integrity of the data, thereby enhancing the overall security of the server and the applications it hosts. Regularly verifying and enforcing with encryption for all Redis caching server connections is essential for maintaining a secure server environment. |
| ℹ️ Check |
|---|
| Verify Redis Cache encryption. From the Admin Console Landing Screen, navigate to Server Settings >> Caching. If the "Redis Server" setting is "localhost" or blank, this requirement is not a finding. If "Password" is blank, this is not a finding. If "Is SSL Enabled" is unchecked, this is a finding. |
| ✔️ Fix |
|---|
| Configure Redis Cache encryption. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Caching. 2. Enable encryption by checking "Is SSL Enabled". 3. Select "Submit Changes". |