ColdFusion must not install the Performance Monitoring Toolset (PMT) Agent Package.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-279129 | SRG-APP-000231-AS-000133 | APAS-CF-000485 | SV-279129r1171553_rule | 2025-12-19 | 1 |
| Description |
|---|
| The ColdFusion Performance Monitoring Toolset (PMT) Agent Package provides instrumentation and profiling capabilities that, while useful for performance troubleshooting, introduce unnecessary risk in a DOD environment. The PMT agent collects, stores, and transmits detailed information about ColdFusion server activity, queries, and application behavior. If deployed in production, this agent can inadvertently expose sensitive system details, execution paths, or database query patterns to unauthorized individuals. The PMT Agent Package increases the attack surface by adding additional components, services, and ports that must be secured, monitored, and patched. Improperly configured or unmonitored PMT agents could allow adversaries to gain insights into application internals, conduct reconnaissance, or pivot toward exploiting ColdFusion services. By prohibiting the installation of the PMT Agent Package, system administrators reduce complexity, limit potential vulnerabilities, and enforce the principle of least functionality. |
| ℹ️ Check |
|---|
| Verify the PMT Agent Package is not installed. From the Admin Console Landing Screen, navigate to Package Manager>> Packages. If the “pmtagent” package is listed under the "Installed Packages" section, this is a finding. |
| ✔️ Fix |
|---|
| Uninstall the PMT Agent Package. 1. From the Admin Console Landing Screen, navigate to Package Manager>> Packages. 2. Select the "pmtagent" package. 3. Select "Uninstall". 4. Select "OK". |