ColdFusion must configure Data Sources to limit SQL command and configure timeout.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279083	SRG-APP-000435-AS-000163	APAS-CF-000755	SV-279083r1171449_rule	2025-12-19	1

Description
Data sources configured within ColdFusion can be exploited if not properly restricted. Allowing unrestricted SQL commands increases the risk of unauthorized data manipulation, privilege escalation, or destructive operations. If a data source permits these types of commands without explicit need, an attacker who compromises the application could use it to alter the database schema, escalate access, or destroy critical data. Failing to enforce query timeout values allows poorly constructed or maliciously crafted SQL statements to consume excessive resources. Long-running queries can degrade database performance or cause denial-of-service (DoS) conditions, impacting application availability for legitimate users. Limiting SQL commands to only those required for application functionality, and enforcing strict query timeouts, ensures that ColdFusion applications operate within expected bounds, maintain system stability, and protect backend data resources. These controls help reduce the attack surface and enforce the principle of least privilege across the application's database interactions. Satisfies: SRG-APP-000435-AS-000163, SRG-APP-000172-AS-000120

Description

Data sources configured within ColdFusion can be exploited if not properly restricted. Allowing unrestricted SQL commands increases the risk of unauthorized data manipulation, privilege escalation, or destructive operations. If a data source permits these types of commands without explicit need, an attacker who compromises the application could use it to alter the database schema, escalate access, or destroy critical data. Failing to enforce query timeout values allows poorly constructed or maliciously crafted SQL statements to consume excessive resources. Long-running queries can degrade database performance or cause denial-of-service (DoS) conditions, impacting application availability for legitimate users. Limiting SQL commands to only those required for application functionality, and enforcing strict query timeouts, ensures that ColdFusion applications operate within expected bounds, maintain system stability, and protect backend data resources. These controls help reduce the attack surface and enforce the principle of least privilege across the application's database interactions. Satisfies: SRG-APP-000435-AS-000163, SRG-APP-000172-AS-000120

ℹ️ Check
Verify that all defined data sources are configured. 1. From the Admin Console Landing Screen, navigate to Data & Services >> Data Sources. 2. Determine if any data sources are defined. If no data sources are defined, this is not a finding. 3. For each Connected Data Source, edit the data source by clicking "Show Advanced Settings" to display all configuration options. 4. Check whether the data source provides an option to specify a query timeout. If the query timeout setting is not available, this is not a finding. 5. If the query timeout setting is available, verify that the value is not set to "0", which indicates no timeout. If any data source has a query timeout configured with a value of "0", this is a finding. 6. Review "Login Timeout (sec)". If there are any data sources with a "Login Timeout (sec)" set higher than 5, this is a finding. If any of the data sources have CREATE, GRANT, DROP, REVOKE or ALTER checked, this is a finding.

ℹ️ Check

Verify that all defined data sources are configured. 1. From the Admin Console Landing Screen, navigate to Data & Services >> Data Sources. 2. Determine if any data sources are defined. If no data sources are defined, this is not a finding. 3. For each Connected Data Source, edit the data source by clicking "Show Advanced Settings" to display all configuration options. 4. Check whether the data source provides an option to specify a query timeout. If the query timeout setting is not available, this is not a finding. 5. If the query timeout setting is available, verify that the value is not set to "0", which indicates no timeout. If any data source has a query timeout configured with a value of "0", this is a finding. 6. Review "Login Timeout (sec)". If there are any data sources with a "Login Timeout (sec)" set higher than 5, this is a finding. If any of the data sources have CREATE, GRANT, DROP, REVOKE or ALTER checked, this is a finding.

✔️ Fix
Configure data sources. 1. From the Admin Console Landing Screen, navigate to Data & Services >> Data Sources. 2. For each data source, edit the data source configuration: a. Click "Show Advanced Settings" to display all options. b. If the query timeout parameter is available, set the timeout value to a number greater than 0 to ensure queries do not run indefinitely. c. Set "Login Timeout (sec)" to less than 5. d. Uncheck the options allowing SQL commands: CREATE GRANT DROP REVOKE ALTER d. Click "Submit" to save changes.

✔️ Fix

Configure data sources. 1. From the Admin Console Landing Screen, navigate to Data & Services >> Data Sources. 2. For each data source, edit the data source configuration: a. Click "Show Advanced Settings" to display all options. b. If the query timeout parameter is available, set the timeout value to a number greater than 0 to ensure queries do not run indefinitely. c. Set "Login Timeout (sec)" to less than 5. d. Uncheck the options allowing SQL commands: CREATE GRANT DROP REVOKE ALTER d. Click "Submit" to save changes.