ColdFusion Backup Directory must be deleted.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-279099 | SRG-APP-000454-AS-000268 | APAS-CF-000930 | SV-279099r1172837_rule | 2025-12-19 | 1 |
| Description |
|---|
| Installation of patches and updates is performed when there are errors or security vulnerabilities in the current release of the software. When previous versions of software components are not removed from ColdFusion after updates have been installed, an attacker may use the older components to exploit the system. ColdFusion creates a backup directory for an update when installed. This backup directory allows the system administrator (SA) to uninstall the update if an error occurs or incompatibility is found with the hosted applications. Once the update is tested and found to work correctly, the backup directory must be removed so that the update cannot be uninstalled. |
| ℹ️ Check |
|---|
| Verify Update Backup Directory has been deleted. Navigate to C:\ColdFusion2023\cfusion\hf-updates. If any backup directories exist in the "hf-updates" folder, this is a finding. Note: Do not remove the backup directory for an update until the update has been tested and verified that the ColdFusion server is operating correctly. |
| ✔️ Fix |
|---|
| Remove Update Backups. 1. Navigate to C:\ColdFusion2023\cfusion\hf-updates. 2. Remove any backups from hf-updates. |