ColdFusion must limit the maximum number of threads available for CFTHREAD.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-279080 | SRG-APP-000435-AS-000163 | APAS-CF-000740 | SV-279080r1171402_rule | 2025-12-19 | 1 |
| Description |
|---|
| Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, ColdFusion must employ defined security safeguards. These safeguards will be determined by the placement of ColdFusion and the type of applications being hosted within ColdFusion framework. The CFTHREAD service allows a programmer to create threads of code that execute independently. If this feature is being used, the maximum number of threads should be tuned. If set too high, this may lead to a context-switching situation. When this feature is not in use, the maximum number of threads must be 1. |
| ℹ️ Check |
|---|
| Verify that CFTHREAD settings are appropriately configured when threading is not used by hosted applications. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. 2. Confirm with the administrator whether any hosted applications are using CFTHREAD for multithreading. If CFTHREAD is in use, this is not a finding. 3. If CFTHREAD is not used, verify that "Maximum number of threads available for CFTHREAD" is set to "1" to effectively disable threading. If CFTHREAD is not used, and the "Maximum number of threads available for CFTHREAD" is set to a value other than "1", this is a finding. |
| ✔️ Fix |
|---|
| Configure CFTHREAD settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. 2. Set Maximum number of threads available for CFTHREAD to "1" to disable unnecessary threading. 3. Click "Submit Changes". |