ColdFusion must generate a unique session identifier using a FIPS 140-2/140-3 or higher approved random number generator.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-279068	SRG-APP-000224-AS-000152	APAS-CF-000465	SV-279068r1172825_rule	2025-12-19	1

Description
ColdFusion uses session IDs to communicate between modules or applications within ColdFusion and between ColdFusion and users. The session ID allows the application to track the communications along with credentials that may have been used to authenticate users or modules. Unique session IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of said identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.

Description

ColdFusion uses session IDs to communicate between modules or applications within ColdFusion and between ColdFusion and users. The session ID allows the application to track the communications along with credentials that may have been used to authenticate users or modules. Unique session IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of said identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.

ℹ️ Check
Review the random number generator for generating session identifiers. 1. Locate the java.security file for the Java Runtime Environment (JRE) used by ColdFusion located at: <ColdFusion_Installation_Directory>\jre\conf\security\java.security 2. Open the java.security file in a text editor. 3. Locate the following setting: securerandom.strongAlgorithms 4. Verify that the value includes a FIPS 140-2/140-3 or higher approved random number generator. For example: securerandom.strongAlgorithms=DRBG:SUN If the securerandom.strongAlgorithms setting does not exist or does not specify a FIPS 140-2/140-3 or higher approved algorithm, this is a finding.

ℹ️ Check

Review the random number generator for generating session identifiers. 1. Locate the java.security file for the Java Runtime Environment (JRE) used by ColdFusion located at: <ColdFusion_Installation_Directory>\jre\conf\security\java.security 2. Open the java.security file in a text editor. 3. Locate the following setting: securerandom.strongAlgorithms 4. Verify that the value includes a FIPS 140-2/140-3 or higher approved random number generator. For example: securerandom.strongAlgorithms=DRBG:SUN If the securerandom.strongAlgorithms setting does not exist or does not specify a FIPS 140-2/140-3 or higher approved algorithm, this is a finding.

✔️ Fix
Configure the random number generator for generating session identifiers. 1. Open the java.security file located at: <ColdFusion_Installation_Directory>\jre\conf\security\java.security 2. Locate or add the securerandom.strongAlgorithms property and configure it to use a FIPS-approved RNG. For example: securerandom.strongAlgorithms=DRBG:SUN 3. Save the file and restart ColdFusion to apply changes.