ColdFusion must limit the maximum number of Web Service requests.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279081	SRG-APP-000435-AS-000163	APAS-CF-000745	SV-279081r1171481_rule	2025-12-19	1

Description
Unrestricted web service request handling in ColdFusion can lead to resource exhaustion, degraded performance, or denial-of-service (DoS) conditions. Web services are common targets for automated attacks, excessive load, or abuse through scripted queries and recursive payloads. If there is no limit on the number of web service requests a ColdFusion server will process, an attacker may overwhelm system resources such as memory, CPU, or network bandwidth, leading to service disruption. Limiting the maximum number of allowable web service requests per session, per client, or per time interval helps enforce resource control, prevent abuse, and maintain application availability. It also ensures that ColdFusion can prioritize legitimate traffic and maintain performance under heavy load. Applying limits on web service request volume reduces the attack surface and aligns with secure coding practices by ensuring application functionality is intentionally constrained to support operational requirements without exposing the system to unnecessary risk.

Description

Unrestricted web service request handling in ColdFusion can lead to resource exhaustion, degraded performance, or denial-of-service (DoS) conditions. Web services are common targets for automated attacks, excessive load, or abuse through scripted queries and recursive payloads. If there is no limit on the number of web service requests a ColdFusion server will process, an attacker may overwhelm system resources such as memory, CPU, or network bandwidth, leading to service disruption. Limiting the maximum number of allowable web service requests per session, per client, or per time interval helps enforce resource control, prevent abuse, and maintain application availability. It also ensures that ColdFusion can prioritize legitimate traffic and maintain performance under heavy load. Applying limits on web service request volume reduces the attack surface and aligns with secure coding practices by ensuring application functionality is intentionally constrained to support operational requirements without exposing the system to unnecessary risk.

ℹ️ Check
Determine Web Services usage. 1. Interview the system administrator (SA), and/or review any of the following documentation: - Hosted application source code. - Hosted application design documentation. - Published web services design documentation. - ColdFusion baseline documentation. 2. Confirm whether Web Services are published by any hosted applications. If Web Services are being published, this requirement is not a finding. 3. If Web Services are not being published, from the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. 4. Locate the "Maximum number of simultaneous Web Service requests" setting and verify the value is set to "1". If Web Services are not in use and the value is not set to "1", this is a finding.

ℹ️ Check

Determine Web Services usage. 1. Interview the system administrator (SA), and/or review any of the following documentation: - Hosted application source code. - Hosted application design documentation. - Published web services design documentation. - ColdFusion baseline documentation. 2. Confirm whether Web Services are published by any hosted applications. If Web Services are being published, this requirement is not a finding. 3. If Web Services are not being published, from the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. 4. Locate the "Maximum number of simultaneous Web Service requests" setting and verify the value is set to "1". If Web Services are not in use and the value is not set to "1", this is a finding.

✔️ Fix
Configure Web Services usage. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. 2. Locate the "Maximum number of simultaneous Web Service requests" setting. 3. Set the value to "1" to prevent unnecessary web service threads. 4. Click "Submit Changes" to save the configuration.