ColdFusion must include only approved trust anchors in trust stores or certificate stores managed by the organization.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279112	SRG-APP-000910-AS-000300	APAS-CF-001135	SV-279112r1171599_rule	2025-12-19	1

Description
Trust stores and certificate stores in ColdFusion are used to validate the authenticity of digital certificates during secure communications. If these stores include unapproved or rogue trust anchors they introduce the risk of trusting malicious or compromised certificates. This can lead to man-in-the-middle (MitM) attacks, spoofing of trusted services, or unauthorized data decryption. Only including approved trust anchors ensures that ColdFusion trusts only vetted entities for secure communications. This protects against the installation of unauthorized certificates that could be used to intercept or manipulate encrypted traffic. Maintaining strict control over which trust anchors are included in ColdFusion's trust and certificate stores is essential to upholding the integrity and confidentiality of system communications. It also ensures alignment with enterprise Public Key Infrastructure (PKI) policies and reduces the risk of inadvertently trusting a compromised or untrusted source.

Description

Trust stores and certificate stores in ColdFusion are used to validate the authenticity of digital certificates during secure communications. If these stores include unapproved or rogue trust anchors they introduce the risk of trusting malicious or compromised certificates. This can lead to man-in-the-middle (MitM) attacks, spoofing of trusted services, or unauthorized data decryption. Only including approved trust anchors ensures that ColdFusion trusts only vetted entities for secure communications. This protects against the installation of unauthorized certificates that could be used to intercept or manipulate encrypted traffic. Maintaining strict control over which trust anchors are included in ColdFusion's trust and certificate stores is essential to upholding the integrity and confidentiality of system communications. It also ensures alignment with enterprise Public Key Infrastructure (PKI) policies and reduces the risk of inadvertently trusting a compromised or untrusted source.

ℹ️ Check
Validate Connection. 1. Open cacert by executing the following command: C:\ColdFusion2023\jre\bin\keytool -list -keystore C:\ColdFusion2023\jre\lib\security\cacerts If any outbound certificates listed are not approved, this is a finding. 2. In each ColdFusion instance, open the server.xml file: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 3. Verify all uncommented connector tags for the word "keystorefile": a. Make note of any keystore path and filename. b. For each file found with the connector tag "keystorefile", execute the following command: C:\ColdFusion2023\jre\bin\keytool -list -keystore <keystorefile> If any inbound certificates listed are not approved, this is a finding.

ℹ️ Check

Validate Connection. 1. Open cacert by executing the following command: C:\ColdFusion2023\jre\bin\keytool -list -keystore C:\ColdFusion2023\jre\lib\security\cacerts If any outbound certificates listed are not approved, this is a finding. 2. In each ColdFusion instance, open the server.xml file: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 3. Verify all uncommented connector tags for the word "keystorefile": a. Make note of any keystore path and filename. b. For each file found with the connector tag "keystorefile", execute the following command: C:\ColdFusion2023\jre\bin\keytool -list -keystore <keystorefile> If any inbound certificates listed are not approved, this is a finding.

✔️ Fix
Configure connection. For all untrusted certificates identified execute the following command: C:\ColdFusion2023\jre\bin\keytool -delete -alias "<certificate alias>" -keystore <keystorefile>