JVM arguments must be configured to use approved cryptographic mechanisms to protect data in transit.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| high | V-279095 | SRG-APP-000440-AS-000167 | APAS-CF-000885 | SV-279095r1171617_rule | 2025-12-19 | 1 |
| Description |
|---|
| ColdFusion uses the underlying JVM to handle transmission and receiving data, but ColdFusion does offer the programmer an encrypt API call to protect the data. This call can use multiple crypto methods but using FIPS 140-2/140-3 or higher is superior to those non-FIPS crypto methods to protect and detect changes to the data. Through JVM arguments set within ColdFusion, the programmer can be forced to use only FIPS crypto methods. |
| ℹ️ Check |
|---|
| Verify JVM Arguments for Crypto. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM. If the JVM argument contains "-Dcoldfusion.enablefipscrypto=false" or "-Dcoldfusion.enablefipscrypto" is missing, this is a finding. 2. Observe the ColdFusion edition at the top of the Administrator Console. If the edition is "Standard", this is a finding. |
| ✔️ Fix |
|---|
| Configure JVM Arguments for Crypto. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM. 2. Amend JVM arguments with "-Dcoldfusion.enablefipscrypto=true". 3. Click "Submit Changes". 4. If not using Enterprise Edition or cryptographic mechanisms are not available, reinstall with Enterprise Edition. |