ColdFusion must have notifications enabled when a server update is available.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279101	SRG-APP-000456-AS-000266	APAS-CF-000940	SV-279101r1171077_rule	2025-12-19	1

Description
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. To configure the software to discover that a new patch is available is important since administrators may be responsible for multiple servers running different applications and services, making it difficult for the administrator to constantly check for updates. Enabling the automatic check informs the administrator, allows him to investigate the patch and what is needed to apply the patch and schedule any outages that might be needed, thereby permitting the patch to be installed quickly and efficiently. Having "Check for updates every" checked causes ColdFusion to look for updates every set number of days. Entering a list of email addresses to notify guarantees a notification is sent to the administrator.

Description

Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. To configure the software to discover that a new patch is available is important since administrators may be responsible for multiple servers running different applications and services, making it difficult for the administrator to constantly check for updates. Enabling the automatic check informs the administrator, allows him to investigate the patch and what is needed to apply the patch and schedule any outages that might be needed, thereby permitting the patch to be installed quickly and efficiently. Having "Check for updates every" checked causes ColdFusion to look for updates every set number of days. Entering a list of email addresses to notify guarantees a notification is sent to the administrator.

ℹ️ Check
Verify that the ColdFusion server is configured to notify administrators when updates are available, either automatically or through a documented manual process. 1. Confirm whether the ColdFusion server has access to either the Adobe patch repository or an internally maintained patch repository. This can be verified by interviewing the system administrator or reviewing ColdFusion baseline documentation. 2. If the server has access to a patch repository, from the Admin Console Landing Screen, navigate to Package Manager >> Settings. 3. Verify the following settings: - "Check for updates every" is enabled (checked). - A positive integer value (1 or greater) is entered for days. - At least one valid email address is entered in "If updates are available, send email notification to" field. If any of these conditions are not met, this is a finding. 4. If the server does NOT have access to a patch repository, verify that a documented notification process exists describing how administrators are informed of available patches. Administrators are enrolled in the Adobe automated patch notification service. 5. To confirm enrollment, request a verification email or a recent patch notification email from Adobe. If no documented notification process exists, or administrators are not enrolled in Adobe's notification service, this is a finding.

ℹ️ Check

Verify that the ColdFusion server is configured to notify administrators when updates are available, either automatically or through a documented manual process. 1. Confirm whether the ColdFusion server has access to either the Adobe patch repository or an internally maintained patch repository. This can be verified by interviewing the system administrator or reviewing ColdFusion baseline documentation. 2. If the server has access to a patch repository, from the Admin Console Landing Screen, navigate to Package Manager >> Settings. 3. Verify the following settings: - "Check for updates every" is enabled (checked). - A positive integer value (1 or greater) is entered for days. - At least one valid email address is entered in "If updates are available, send email notification to" field. If any of these conditions are not met, this is a finding. 4. If the server does NOT have access to a patch repository, verify that a documented notification process exists describing how administrators are informed of available patches. Administrators are enrolled in the Adobe automated patch notification service. 5. To confirm enrollment, request a verification email or a recent patch notification email from Adobe. If no documented notification process exists, or administrators are not enrolled in Adobe's notification service, this is a finding.

✔️ Fix
If the ColdFusion server has access to a patch repository: 1. From the Admin Console Landing Screen, navigate to Package Manager >> Settings. 2. Enable "Check for updates every" by checking the box. 3. Enter a value greater than 0 in the "Days" field to define the update check interval. 4. Enter at least one valid email address in the "If updates are available, send email notification to" field. 5. Click "Submit Changes" to save the configuration. If the ColdFusion server does NOT have access to a patch repository: 1. Develop and maintain documented procedures describing how update notifications will be received. 2. Enroll all administrators in the Adobe automated patch notification service. 3. Retain a copy of the verification or confirmation email demonstrating enrollment.

✔️ Fix

If the ColdFusion server has access to a patch repository: 1. From the Admin Console Landing Screen, navigate to Package Manager >> Settings. 2. Enable "Check for updates every" by checking the box. 3. Enter a value greater than 0 in the "Days" field to define the update check interval. 4. Enter at least one valid email address in the "If updates are available, send email notification to" field. 5. Click "Submit Changes" to save the configuration. If the ColdFusion server does NOT have access to a patch repository: 1. Develop and maintain documented procedures describing how update notifications will be received. 2. Enroll all administrators in the Adobe automated patch notification service. 3. Retain a copy of the verification or confirmation email demonstrating enrollment.