ColdFusion must set Request Tuning configurations.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279079	SRG-APP-000435-AS-000163	APAS-CF-000735	SV-279079r1171576_rule	2025-12-19	1

Description
To reduce the possibility or effect of a denial of service (DoS), ColdFusion must employ defined security safeguards. These safeguards will be determined by the placement of ColdFusion and the type of applications being hosted within ColdFusion framework. Report threads are used to process reports concurrently. Since reporting in most applications is a process that is not time sensitive or heavily used, this setting should be minimized to minimize resource use on ColdFusion and to minimize a method that could be used to exhaust resources by an attacker. Unless reporting is heavily used, the number of simultaneous report threads must be set to 1.

Description

To reduce the possibility or effect of a denial of service (DoS), ColdFusion must employ defined security safeguards. These safeguards will be determined by the placement of ColdFusion and the type of applications being hosted within ColdFusion framework. Report threads are used to process reports concurrently. Since reporting in most applications is a process that is not time sensitive or heavily used, this setting should be minimized to minimize resource use on ColdFusion and to minimize a method that could be used to exhaust resources by an attacker. Unless reporting is heavily used, the number of simultaneous report threads must be set to 1.

ℹ️ Check
Verify Request Tuning Configurations. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. If "Maximum number of simultaneous Report threads" is not set to "1", this is a finding. If the "Maximum number of simultaneous Template requests" is not set to the maximum number of requests (or 24, whichever is higher), this is a finding. If "Timeout requests waiting in queue after" setting is higher than "5", this is a finding. 2. Validate that "Request Queue Timeout Page" is set to a valid and custom page. If "Request Queue Timeout Page" is blank or is set to "/CFIDE/administrator/templates/request_timeout_error.cfm", this is a finding. 3. Validate the file exists. The path and file given are relevant to the web servers' document root directory and not the OS root directory. For example, if the web servers' document root is /opt/webserver/wwwroot and the "Request Queue Timeout Page" is set to /CFIDE/administrator/templates/timeout_error.cfm, the full path to the template file is /opt/webserver/wwwroot/CFIDE/administrator/templates/timeout_error.cfm. If the "Request Queue Timeout Page" setting is not set to a valid page, this is a finding.

ℹ️ Check

Verify Request Tuning Configurations. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. If "Maximum number of simultaneous Report threads" is not set to "1", this is a finding. If the "Maximum number of simultaneous Template requests" is not set to the maximum number of requests (or 24, whichever is higher), this is a finding. If "Timeout requests waiting in queue after" setting is higher than "5", this is a finding. 2. Validate that "Request Queue Timeout Page" is set to a valid and custom page. If "Request Queue Timeout Page" is blank or is set to "/CFIDE/administrator/templates/request_timeout_error.cfm", this is a finding. 3. Validate the file exists. The path and file given are relevant to the web servers' document root directory and not the OS root directory. For example, if the web servers' document root is /opt/webserver/wwwroot and the "Request Queue Timeout Page" is set to /CFIDE/administrator/templates/timeout_error.cfm, the full path to the template file is /opt/webserver/wwwroot/CFIDE/administrator/templates/timeout_error.cfm. If the "Request Queue Timeout Page" setting is not set to a valid page, this is a finding.

✔️ Fix
Set Request Tuning Configurations. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. 2. Set "Maximum number of simultaneous Report threads" to "1". 3. Set "Maximum number of simultaneous Template requests" to the appropriate amount or 24, whichever is higher. 4. Set "Timeout requests waiting in queue after" to "5" or fewer. 5. Set "Request Queue Timeout Page" to a custom and valid page. 6. Select "Submit Changes".

✔️ Fix

Set Request Tuning Configurations. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. 2. Set "Maximum number of simultaneous Report threads" to "1". 3. Set "Maximum number of simultaneous Template requests" to the appropriate amount or 24, whichever is higher. 4. Set "Timeout requests waiting in queue after" to "5" or fewer. 5. Set "Request Queue Timeout Page" to a custom and valid page. 6. Select "Submit Changes".