ColdFusion must have sandboxes enabled and defined.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279065	SRG-APP-000211-AS-000146	APAS-CF-000425	SV-279065r1171383_rule	2025-12-19	1

Description
ColdFusion consists of two distinct components: the Administrator Console and the hosted applications. Separating these components is essential for enforcing strict access control and limiting exposure of administrative functionality. By requiring privileged authentication to access the Administrator Console, ColdFusion ensures that nonprivileged users cannot view or interact with system-level management features. This prevents unauthorized users from gaining insight into administrative capabilities or system configurations, reducing the risk of privilege escalation or targeted attacks. Isolating the Administrator Console within its own sandboxed environment further strengthens security by preventing hosted applications from accessing, reusing, or modifying administrative objects or code. This containment ensures that management operations and configuration data are protected from unintended or malicious interaction by hosted application processes. In the event a hosted application is compromised, this isolation prevents the attacker from pivoting into the administrative layer of the application server. This architecture enforces proper input validation and access control between application tiers and components, helping prevent unauthorized access to privileged functions, configuration data, or sensitive objects. It supports a layered defense model by limiting trust boundaries and reducing the likelihood of administrative compromise due to application-level vulnerabilities. Satisfies: SRG-APP-000211-AS-000146, SRG-APP-000516-AS-000237

Description

ColdFusion consists of two distinct components: the Administrator Console and the hosted applications. Separating these components is essential for enforcing strict access control and limiting exposure of administrative functionality. By requiring privileged authentication to access the Administrator Console, ColdFusion ensures that nonprivileged users cannot view or interact with system-level management features. This prevents unauthorized users from gaining insight into administrative capabilities or system configurations, reducing the risk of privilege escalation or targeted attacks. Isolating the Administrator Console within its own sandboxed environment further strengthens security by preventing hosted applications from accessing, reusing, or modifying administrative objects or code. This containment ensures that management operations and configuration data are protected from unintended or malicious interaction by hosted application processes. In the event a hosted application is compromised, this isolation prevents the attacker from pivoting into the administrative layer of the application server. This architecture enforces proper input validation and access control between application tiers and components, helping prevent unauthorized access to privileged functions, configuration data, or sensitive objects. It supports a layered defense model by limiting trust boundaries and reducing the likelihood of administrative compromise due to application-level vulnerabilities. Satisfies: SRG-APP-000211-AS-000146, SRG-APP-000516-AS-000237

ℹ️ Check
Verify Sandbox Security. 1. From the Admin Console Landing Screen, navigate to Server Security >> Sandbox Security. 2. The Administrator Console must have a sandbox separate from the other hosted applications. If there are no sandboxes implemented for the Administrator Console, this is a finding. 3. Sandboxes must be set up for all other hosted applications. If there are no sandboxes implemented for other hosted applications, this is a finding. If the "Enable ColdFusion Sandbox Security" is not checked, this is a finding.

ℹ️ Check

Verify Sandbox Security. 1. From the Admin Console Landing Screen, navigate to Server Security >> Sandbox Security. 2. The Administrator Console must have a sandbox separate from the other hosted applications. If there are no sandboxes implemented for the Administrator Console, this is a finding. 3. Sandboxes must be set up for all other hosted applications. If there are no sandboxes implemented for other hosted applications, this is a finding. If the "Enable ColdFusion Sandbox Security" is not checked, this is a finding.

✔️ Fix
Configure Sandbox Security. 1. From the Admin Console Landing Screen, navigate to Server Security >> Sandbox Security. 2. Check the "Enable ColdFusion Sandbox Security". 3. Create sandboxes for the applications. 4. Create a sandbox for the Administrator Console. 5. Select "Submit Changes".