ColdFusion must encrypt patch retrieval.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-279096 | SRG-APP-000440-AS-000167 | APAS-CF-000890 | SV-279096r1171589_rule | 2025-12-19 | 1 |
| Description |
|---|
| Checking for patches and downloading those patches for installation must be done through an encrypted connection to protect the patch from modification during transmission and to avoid spoofed updates. |
| ℹ️ Check |
|---|
| Verify that patch retrieval is performed securely, whether automated or manual. If the Administrator Console is not used to retrieve patches, proceed to Step 2. 1. From the Admin Console Landing Screen, navigate to Package Manager >> Settings. 2. Review the Site URL fields for Update Site and Packages Site. Verify that all URLs are prefixed with "https://". If any URL is not prefixed with "https://", this is a finding. 3. If patches are retrieved manually, verify there is documented guidance describing the process. 4. Confirm the documented process requires using an encrypted method to download patches, such as VPN tunneling, Secure Copy (SCP), or equivalent secure protocols. If no documented process exists, or if the process does not require an encrypted method, this is a finding. |
| ✔️ Fix |
|---|
| If the Administrator Console is used for patch retrieval: 1. From the Admin Console Landing Screen, navigate to Package Manager >> Settings. 2. Locate the Site URL fields for "Update Site" and "Packages Site". 3. Update each URL to ensure it is prefixed with "https://" so communication is encrypted. 4. Select "Submit Changes". If a manual process is used to retrieve patches: 1. Develop and maintain documented procedures describing the manual patch retrieval process. 2. Ensure the process specifies using an encrypted method for downloading patches (e.g., VPN tunneling, SCP, or equivalent secure protocols). |