ColdFusion must be configured to mutually authenticate connecting proxies and load balancers.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279067	SRG-APP-000219-AS-000147	APAS-CF-000445	SV-279067r1171547_rule	2025-12-19	1

Description
Mutual authentication between connecting proxies, application servers, or gateways is essential for ensuring secure communication and preventing unauthorized access. Without mutual authentication, there is a risk that an attacker could impersonate a trusted component, leading to potential data breaches and other security incidents. Mutual authentication helps verify the identities of both parties involved in the communication, ensuring that only trusted entities can interact with ColdFusion. This process involves the exchange of certificates and the validation of these certificates against a trusted certificate authority. By implementing mutual authentication, ColdFusion can establish a secure and trusted communication channel, protect sensitive data and maintain the integrity of the system. Therefore, it is crucial to configure ColdFusion to mutually authenticate all connecting proxies, application servers, or gateways to enhance security and prevent unauthorized access.

Description

Mutual authentication between connecting proxies, application servers, or gateways is essential for ensuring secure communication and preventing unauthorized access. Without mutual authentication, there is a risk that an attacker could impersonate a trusted component, leading to potential data breaches and other security incidents. Mutual authentication helps verify the identities of both parties involved in the communication, ensuring that only trusted entities can interact with ColdFusion. This process involves the exchange of certificates and the validation of these certificates against a trusted certificate authority. By implementing mutual authentication, ColdFusion can establish a secure and trusted communication channel, protect sensitive data and maintain the integrity of the system. Therefore, it is crucial to configure ColdFusion to mutually authenticate all connecting proxies, application servers, or gateways to enhance security and prevent unauthorized access.

ℹ️ Check
Validate SSL Certificate. 1. Identify any proxy servers or load balancers that provide services for the Tomcat server. If there are no load balancers or proxies in use, this is not a finding. 2. Identify each ColdFusion IP address that is served by a load balancer or proxy. Locate the configuration file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 3. Open the server.xml file in a text editor and review each <Connector> element for the address setting and the clientAuth setting. If a connector has a configured IP address that is proxied or load balanced and the clientAuth setting is not "true", this is a finding. 4. Locate the configuration file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\web.xml 5. Open the web.xml file in a text editor. If "<login-config><auth-method>CLIENT-CERT</auth-method></login-config>" is not present under the web-app tag, this is a finding.

ℹ️ Check

Validate SSL Certificate. 1. Identify any proxy servers or load balancers that provide services for the Tomcat server. If there are no load balancers or proxies in use, this is not a finding. 2. Identify each ColdFusion IP address that is served by a load balancer or proxy. Locate the configuration file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 3. Open the server.xml file in a text editor and review each <Connector> element for the address setting and the clientAuth setting. If a connector has a configured IP address that is proxied or load balanced and the clientAuth setting is not "true", this is a finding. 4. Locate the configuration file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\web.xml 5. Open the web.xml file in a text editor. If "<login-config><auth-method>CLIENT-CERT</auth-method></login-config>" is not present under the web-app tag, this is a finding.

✔️ Fix
Configure SSL Certificate. For server.xml: 1. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Before making changes, back up the file to prevent accidental misconfiguration. 3. Open server.xml in a text editor with administrative privileges. For web.xml: 1. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\web.xml 2. Before making changes, back up the file to prevent accidental misconfiguration. 3. Open web.xml in a text editor with administrative privileges. 4. Ensure the <login-config><auth-method>CLIENT-CERT</auth-method></login-config> is present under the web-app tag. 5. Save and close the file. Restart ColdFusion to apply the changes.

✔️ Fix

Configure SSL Certificate. For server.xml: 1. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Before making changes, back up the file to prevent accidental misconfiguration. 3. Open server.xml in a text editor with administrative privileges. For web.xml: 1. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\web.xml 2. Before making changes, back up the file to prevent accidental misconfiguration. 3. Open web.xml in a text editor with administrative privileges. 4. Ensure the <login-config><auth-method>CLIENT-CERT</auth-method></login-config> is present under the web-app tag. 5. Save and close the file. Restart ColdFusion to apply the changes.