ColdFusion must be set to automatically check for updates.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279100	SRG-APP-000456-AS-000266	APAS-CF-000935	SV-279100r1171595_rule	2025-12-19	1

Description
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. To configure the software to discover that a new patch is available is important since administrators may be responsible for multiple servers running different applications and services, making it difficult for the administrator to constantly check for updates. Enabling the automatic check informs the administrator, allows him to investigate the patch and what is needed to apply the patch and schedule any outages that might be needed, thereby permitting the patch to be installed quickly and efficiently.

Description

Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. To configure the software to discover that a new patch is available is important since administrators may be responsible for multiple servers running different applications and services, making it difficult for the administrator to constantly check for updates. Enabling the automatic check informs the administrator, allows him to investigate the patch and what is needed to apply the patch and schedule any outages that might be needed, thereby permitting the patch to be installed quickly and efficiently.

ℹ️ Check
Verify the ColdFusion server is configured to check for updates, either automatically or through a documented manual process. 1. Confirm whether the ColdFusion server has access to either the Adobe patch repository or an internally maintained patch repository. This can be verified by interviewing the system administrator (SA) or reviewing ColdFusion baseline documentation. 2. If the server has access to a patch repository, from the Admin Console Landing Screen, navigate to Package Manager >> Settings. 3. Verify "Automatically Check for Updates" is enabled (checked). If the server has access to a patch repository and "Automatically Check for Updates" is not enabled, this is a finding. 4. If the server does not have access to a patch repository, confirm that a documented manual process exists for checking and retrieving updates. The documented process must specify where to obtain updates, and how often updates are to be checked. If no documented process exists, or if the process does not include both location and frequency, this is a finding.

ℹ️ Check

Verify the ColdFusion server is configured to check for updates, either automatically or through a documented manual process. 1. Confirm whether the ColdFusion server has access to either the Adobe patch repository or an internally maintained patch repository. This can be verified by interviewing the system administrator (SA) or reviewing ColdFusion baseline documentation. 2. If the server has access to a patch repository, from the Admin Console Landing Screen, navigate to Package Manager >> Settings. 3. Verify "Automatically Check for Updates" is enabled (checked). If the server has access to a patch repository and "Automatically Check for Updates" is not enabled, this is a finding. 4. If the server does not have access to a patch repository, confirm that a documented manual process exists for checking and retrieving updates. The documented process must specify where to obtain updates, and how often updates are to be checked. If no documented process exists, or if the process does not include both location and frequency, this is a finding.

✔️ Fix
Configure ColdFusion to check for updates. 1. If the ColdFusion server has access to a patch repository: a. From the Admin Console Landing Screen, navigate to Package Manager >> Settings. b. Enable the "Automatically Check for Updates" option by checking the box. c. Save the configuration. 2. If the ColdFusion server does not have access to a patch repository: a. Develop and maintain documented procedures describing the manual update process. b. Ensure the documentation includes the location where patches and updates will be obtained (e.g., Adobe website, internal repository) and the frequency with which updates will be checked (e.g., weekly, monthly).

✔️ Fix

Configure ColdFusion to check for updates. 1. If the ColdFusion server has access to a patch repository: a. From the Admin Console Landing Screen, navigate to Package Manager >> Settings. b. Enable the "Automatically Check for Updates" option by checking the box. c. Save the configuration. 2. If the ColdFusion server does not have access to a patch repository: a. Develop and maintain documented procedures describing the manual update process. b. Ensure the documentation includes the location where patches and updates will be obtained (e.g., Adobe website, internal repository) and the frequency with which updates will be checked (e.g., weekly, monthly).