JVM Arguments must be configured for Transport Layer Security (TLS) 1.2 or higher.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| high | V-279092 | SRG-APP-000439-AS-000155 | APAS-CF-000860 | SV-279092r1171584_rule | 2025-12-19 | 1 |
| Description |
|---|
| Preventing the disclosure of transmitted information requires that ColdFusion take measures to employ some form of cryptographic mechanism to protect the information during transmission. This is usually achieved TLS. TLS must be enabled, and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. ColdFusion uses JVM to control the encryption of transmitted data. Settings for JVM can be controlled within the Administrator Console to configure the JVM to only use FIPS 140-2/140-3 or higher approved TLS and disable non-FIPS SSL versions. |
| ℹ️ Check |
|---|
| Verify JVM Arguments for TLS. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM. The parameter -Dhttps.protocols is used to set the TLS versions. Valid values for this setting must be TLS versions 1.2 or higher. Example: Dhttps.protocols=TLSv1.2,TLSv1.3 If the "JVM arguments" setting does not contain the parameter "Dhttps.protocols" or if the parameter "Dhttps.protocols" contains any unapproved protocols or versions, this is a finding. |
| ✔️ Fix |
|---|
| Configure JVM Arguments for TLS. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM. 2. In Section JVM Arguments, add the parameter "-Dhttps.protocols" and set the parameter to the TLS versions to be used. Example: Dhttps.protocols=TLSv1.2,TLSv1.3 3. Select "Submit Changes". 4. Restart ColdFusion for the changes take effect. |