{"stig":{"title":"Adobe ColdFusion Security Technical Implementation Guide","version":"1","release":"1"},"checks":[{"vulnId":"V-279030","ruleId":"SV-279030r1171489_rule","severity":"low","ruleTitle":"ColdFusion must limit concurrent sessions to the Administrator Console.","description":"The ColdFusion Administrator Console provides critical functionality for managing the ColdFusion application server. Allowing concurrent logins to the Administrator Console increases the risk of unauthorized access and account compromise. Disabling concurrent logins ensures that only one active session per user is allowed. This restriction provides a security benefit by alerting users to potential account compromise: If a user is unexpectedly logged out due to a new session being initiated, it may indicate unauthorized use of their credentials.","checkContent":"Verify Concurrent Administrator Console Logins. \n\n1. From the Admin Console Landing Screen, navigate to Security >> Administrator.\n\n2. Locate the option labeled \"Allow concurrent login sessions for Administrator Console\".\n\nIf this option is enabled (checked), this is a finding.","fixText":"Configure Concurrent Administrator Console Logins.\n\n1. From the Admin Console Landing Screen, navigate to Security >> Administrator.\n\n2. Locate the option labeled \"Allow concurrent login sessions for Administrator Console\".\n\n3. Disable (uncheck) the option.\n\n4. Select \"Submit Changes\".","ccis":["CCI-000054"]},{"vulnId":"V-279031","ruleId":"SV-279031r1171492_rule","severity":"medium","ruleTitle":"The ColdFusion built-in Tomcat Web Server must use FIPS-validated ciphers on secured connectors.","description":"Using only FIPS 140-2/140-3 or higher approved cryptographic modules for encryption helps ensure the confidentiality and integrity of transmitted data. Allowing using non-FIPS-approved or outdated encryption modules increases the attack surface and exposes the system to known vulnerabilities. Attacks such as POODLE and its variants exploit weaknesses in noncompliant cryptographic protocols by forcing HTTPS communications to downgrade to insecure cipher suites. This allows an attacker to decrypt sensitive data through man-in-the-middle techniques. \n\nEnforcing FIPS 140-2/140-3 and higher validated modules mitigates this risk by preventing fallback to weak encryption algorithms.","checkContent":"Verify FIPS Mode in Configuration. \n\n1. For each ColdFusion instance, locate the server.xml file in the following directory:\n<ColdFusion Install Directory>\\runtime\\conf\n\n2. Open server.xml.\n\n3. Search for the <Listener> tag for AprLifecycleListener, confirm that it includes the attribute:\nfipsmode=\"on\"\n\nIf the fipsmode=\"on\" attribute is not present, this is a finding.\n\n4. Verify FIPS Mode at Runtime. After starting ColdFusion, open the coldfusion-error.log file.\n\n5. Search for the term \"fipsmode\".\n\n6. Check for the following message:\nfailed to set property[FIPSMODE] to [on]\n\nIf this error message is present in the log, this is a finding.","fixText":"1. Enable FIPS Mode in Tomcat by editing the Tomcat server.xml configuration file.\n\n2. From the Tomcat server, log in as a privileged user, open the server.xml file:\nsudo nano $CATALINA_BASE/conf/server.xml\n\n3. Locate or add the <Listener> element for AprLifecycleListener.\n\n4. Ensure the element includes the FIPSMode=\"on\" attribute.\nExample configuration:\n<Listener\n    className=\"org.apache.catalina.core.AprLifecycleListener\"\n    SSLEngine=\"on\"\n    FIPSMode=\"on\"\n/>\n\n5. Save and close the file.\n\n6. Restart ColdFusion to apply the changes.\n\n7. Check coldfusion-error.log after startup to confirm there are no errors indicating failure to set FIPSMode.","ccis":["CCI-001453"]},{"vulnId":"V-279032","ruleId":"SV-279032r1171325_rule","severity":"medium","ruleTitle":"ColdFusion must require enforced authentication.","description":"ColdFusion must require each authorized user to authenticate and not allow multiple users. Without enforced authentication, there is no reliable method to verify the identity of users accessing the ColdFusion Administrator Console or other secured components of the application server. This lack of accountability can allow unauthorized users to gain elevated privileges, make unauthorized changes, or conceal malicious activity. Requiring a username and password for each user aligns with the principles of least privilege and ensures that access to sensitive configuration and management functions is appropriately controlled.","checkContent":"1. From the Admin Console Landing Screen, navigate to Security >> Administrator.\n\n2. If the \"Separate user name and password authentication (allows multiple users)\" is not selected, this is a finding.","fixText":"1. From the Admin Console Landing Screen, navigate to Security >> Administrator.\n\n2. Select \"Separate user name and password authentication (allows multiple users)\".\n\n3. Select \"Submit Changes\".","ccis":["CCI-000166"]},{"vulnId":"V-279033","ruleId":"SV-279033r1171269_rule","severity":"low","ruleTitle":"ColdFusion must not have local users.","description":"To maintain accountability and enforce access control policies, ColdFusion must require each user to authenticate using a unique account. Shared or generic accounts prevent the ability to associate user actions with specific individuals, which undermines auditing, accountability, and incident response capabilities. Unique user accounts ensure that each action taken within the ColdFusion environment can be attributed to a specific, identifiable user. This is essential for detecting misuse, investigating anomalies, and ensuring compliance with security policies.","checkContent":"Verify there are no local users.\n\n1. From the Admin Console Landing Screen, navigate to Security >> User Manager.\n\n2. For each user, validate \"External User\" is checked and \"User Type\" is selected.\n\nIf \"External User\" is not checked and \"User Type\" is not selected, this is a finding.","fixText":"Configure External User Accounts: \n\n1. From the Admin Console Landing Screen, navigate to Security >> User Manager.\n\n2. For any user accounts where \"External User\" is not checked and \"User Type\" is not selected:\n\na. Edit the user account (or remove the account if it should not exist).\n\nb. Check the box for \"External User\".\n\nc. Select the appropriate \"User Type\".\n\nd. Click \"Update User\" to save the changes.\n\ne. Verify that no local user accounts remain and that all users are correctly configured as external.","ccis":["CCI-000166"]},{"vulnId":"V-279034","ruleId":"SV-279034r1171436_rule","severity":"low","ruleTitle":"ColdFusion must produce log records containing information to establish what type of events occurred.","description":"Without sufficient logging of events, including information about what type of event occurred, it is difficult to detect, understand, or respond to suspicious or unauthorized activity within the ColdFusion application server.\n\nComprehensive event logging is essential to support auditing, troubleshooting, and forensic analysis. ColdFusion must generate log records that capture key attributes of events, such as event type, source, outcome, and affected components. This information enables security personnel to determine the nature of an event, assess its impact, and trace it back to a user or process. Failure to produce detailed and complete logs can result in missed detection of security incidents, hinder incident response efforts, and reduce overall situational awareness.\n\nSatisfies: SRG-APP-000095-AS-000056, SRG-APP-000096-AS-000059, SRG-APP-000097-AS-000060, SRG-APP-000098-AS-000061, SRG-APP-000099-AS-000062, SRG-APP-000100-AS-000063, SRG-APP-000101-AS-000072","checkContent":"Verify neo-logging.xml Log Pattern configuration.\n\n1. Open the neo-logging.xml file located at:\n<ColdFusion_Installation_Directory>\\lib\\neo-logging.xml\n\n2. Examine the <var name='pattern'/> element. Review the value assigned to this element. Verify the log pattern configuration.\n\n3. Confirm the value is:\n<string>\"%p\",\"%t\",%d{\"MM/dd/yy\",\"HH:mm:ss\"},\"%a\",\"%m%z\"%n</string>\n\nOR\n\nEnsure the following pattern definition is included:\n- The pattern includes the %d (date/time) pattern definition with the appropriate format (MM/dd/yy and HH:mm:ss).\n- The pattern includes the %m (message) pattern.\n\nIf the neo-logging.xml file is missing or cannot be located, this is a finding.\n\nIf the <var name='pattern'/> element does not contain the exact required pattern, this is a finding.\n\nIf the pattern does not include the %d token with the required date/time format, this is a finding.\n\nIf the pattern does not include the %m (message) token, this is a finding.","fixText":"1. Locate the neo-logging.xml file for ColdFusion: <ColdFusion_Installation_Directory>\\lib\\neo-logging.xml\n\n2. After creating a backup of this file, edit it and locate the <var name='pattern'/> element.\n\n3. Set the value of this element to include all pertinent fields, for example:\n<string>\"%p\",\"%t\",%d{\"MM/dd/yy\",\"HH:mm:ss\"},\"%a\",\"%m%z\"%n</string>","ccis":["CCI-000130","CCI-000131","CCI-000132","CCI-000133","CCI-000134","CCI-001487","CCI-000135"]},{"vulnId":"V-279035","ruleId":"SV-279035r1171616_rule","severity":"low","ruleTitle":"ColdFusion must log scheduled tasks.","description":"Logging scheduled tasks in ColdFusion is essential for detecting unauthorized or unexpected behavior, ensuring task execution integrity, and supporting forensic investigations.\n\nScheduled tasks can be used to automate critical operations, including data transfers, script executions, or maintenance routines. If these tasks are not properly logged, malicious or erroneous activities may go undetected. For example, an attacker could schedule a task to exfiltrate data or alter application configurations without immediate notice. Recording details such as task name, execution time, user context, success or failure status, and any associated errors provides administrators with the necessary information to monitor system behavior, identify anomalies, and maintain accountability.","checkContent":"Verify Logging is enabled. \n\nFrom the Admin Console Landing Screen, navigate to Debugging & Logging >> Logging Settings.\n\nIf \"Enable logging for scheduled tasks\" is missing, the Scheduler is not installed, and this is not a finding. \n\nIf \"Enable logging for scheduled tasks\" exists and is not checked, this is a finding.","fixText":"Configure ColdFusion to enable logging.\n\n1. From the Admin Console Landing Screen, navigate to Debugging & Logging >> Logging Settings.\n\n2. Check \"Enable logging for scheduled tasks\".\n\n3. Select \"Submit Changes\".","ccis":["CCI-000132"]},{"vulnId":"V-279036","ruleId":"SV-279036r1171601_rule","severity":"medium","ruleTitle":"The ColdFusion log information must be protected from any type of unauthorized read access by having file ownership set properly.","description":"ColdFusion log files may contain sensitive information, including system events, error messages, user activity, and potentially authentication or configuration data. If these log files are not properly protected through restrictive file ownership and permissions, unauthorized users could read, alter, or delete the log data, resulting in a loss of audit integrity, undetected malicious activity, or exposure of sensitive operational details. \n\nSetting appropriate file ownership ensures that only authorized ColdFusion administrators or designated service accounts have access to the logs, reducing the risk of compromise. This control supports the confidentiality, integrity, and availability of log data.\n\nSatisfies: SRG-APP-000118-AS-000078, SRG-APP-000119-AS-000079, SRG-APP-000120-AS-000080, SRG-APP-000267-AS-000170","checkContent":"Verify that the log directories for each ColdFusion instance are secured with appropriate ownership and permissions.\n\n1. Locate the logs directory for each ColdFusion instance. The log directory path is located in the ColdFusion Administrator Console under Debugging & Logging >> Logging Settings.\n\n2. For ColdFusion running on Windows, the logs directory and all files within it must have Full Control granted to:\n- The Administrators group.\n- The user account running the ColdFusion service.\n\nIf any directory or file permissions do not meet this requirement, this is a finding.\n\n3. For ColdFusion running on Linux, the logs directory and all files within it must have:\n- \"Owner\" set to the user running ColdFusion.\n- \"Group ownership\" set to root.\n- \"Permissions\" set to 740 or more restrictive.\n\nIf ownership or permissions do not meet this requirement, this is a finding.","fixText":"Locate the logs directory for each ColdFusion instance. The log directory path is located in the ColdFusion Administrator Console under Debugging & Logging >> Logging Settings.\n\nFor ColdFusion running on Windows:\n1. Right-click the logs directory and select \"Properties\".\n\n2. Click the Security tab and then click \"Advanced\".\n\n3. On the Permissions tab, click \"Disable inheritance\" and select \"Remove all inherited permissions from this object\".\n\n4. Click \"Add\".\n- In the Permission Entry dialog box, click \"Select a principal\".\n- Enter the user account running the ColdFusion service.\n- Grant Full Control and click \"OK\".\n\n5. Click \"Add\" again.\n- In the Permission Entry dialog, click \"Select a principal\".\n- Enter the Administrators group.\n- Grant full control and click \"OK\".\n\n6. Check \"Replace all child object permission entries with inheritable permission entries from this object\".\n\n7. Click \"OK\" to apply the permissions.\n\nFor ColdFusion running on Linux:\nSet ownership and permissions using the following commands, replacing the path and user as appropriate:\n\nchown -R <cfuser>:root /path/to/logs\nchmod -R 740 /path/to/logs\n\nNote: Required permissions are automatically set by the Auto-Lockdown Installer.","ccis":["CCI-000162","CCI-000163","CCI-000164","CCI-001314"]},{"vulnId":"V-279037","ruleId":"SV-279037r1171603_rule","severity":"low","ruleTitle":"The ColdFusion file ownership and permissions must be restricted to prevent unauthorized access to log tools.","description":"Log management tools within ColdFusion provide access to view, analyze, and sometimes modify application log data. If file ownership and permissions for these tools are not properly restricted, unauthorized users could gain access to audit logs, modify or delete critical records, or bypass detection mechanisms. This not only compromises the integrity and availability of audit data but also undermines the organization's ability to detect and respond to security incidents. Properly assigning file ownership and enforcing least privilege permissions ensures that only authorized administrators or service accounts have access to these tools. This reduces the risk of log tampering or exposure of sensitive information.\n\nSatisfies: SRG-APP-000121-AS-000081, SRG-APP-000122-AS-000082, SRG-APP-000123-AS-000083","checkContent":"For ColdFusion running on Windows:\n1. For each ColdFusion instance, navigate to: \n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\lib\n\n2. The logs directory and all files within it must have Full Control granted to the Administrators group and the user account running the ColdFusion service.\n\nIf any directory or file permissions do not meet this requirement, this is a finding.\n\nFor ColdFusion running on Linux:\n1. Navigate to: \n<ColdFusion_Installation_Directory>/cfusion/runtime/conf\n<ColdFusion_Installation_Directory>/cfusion/runtime/lib\n\n2. The logs tools directory and all files within it must have:\n- \"Owner\" set to the user running ColdFusion.\n- \"Group ownership\" set to root.\n- \"Permissions\" set to 640 or more restrictive.\n\nIf ownership or permissions do not meet this requirement, this is a finding.","fixText":"For ColdFusion running on Windows:\n1. For each ColdFusion instance, navigate to: \n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\lib\n\n2. Right-click the directory and select \"Properties\".\n\n3. Click the Security tab and then click \"Advanced\".\n\n4. On the Permissions tab, click \"Disable inheritance\" and select \"Remove all inherited permissions from this object\".\n\n5. Click \"Add\".\n\na. In the Permission Entry dialog, click \"Select a principal\".\n\nb. Enter the user account running the ColdFusion service.\n\nc. Grant Full Control and click \"OK\".\n\n6. Click \"Add\" again.\n\na. In the Permission Entry dialog, click \"Select a principal\".\n\nb. Enter the Administrators group.\n\nc. Grant Full Control and click \"OK\".\n\n7. Check \"Replace all child object permission entries with inheritable permission entries from this object\".\n\n8. Click \"OK\" to apply the permissions.\n\nFor ColdFusion running on Linux:\nSet ownership and permissions using the following commands, replacing the path and user as appropriate:\nchown -R <cfuser>:root <ColdFusion_Installation_Directory>/cfusion/runtime/conf\n\nchown -R <cfuser>:root <ColdFusion_Installation_Directory>/cfusion/runtime/lib\n\nchmod -R 640 <ColdFusion_Installation_Directory>/cfusion/runtime/conf\nchmod -R 640 <ColdFusion_Installation_Directory>/cfusion/runtime/lib","ccis":["CCI-001493","CCI-001494","CCI-001495"]},{"vulnId":"V-279038","ruleId":"SV-279038r1171464_rule","severity":"medium","ruleTitle":"Before installing or upgrading ColdFusion, the integrity of the installation package must be manually verified.","description":"The hash verification process must be performed using an approved hashing algorithm to ensure the package has not been altered, tampered with, or corrupted during transfer. If the computed hash does not exactly match the official vendor hash, the installation or upgrade must not proceed, and the discrepancy must be investigated and resolved prior to deployment.\n\nFailure to verify the cryptographic hash of ColdFusion installation or upgrade packages exposes the system to potential compromise. A malicious actor could modify the package to include backdoors, vulnerabilities, or unauthorized code. If the altered package is installed, it may provide an attacker with privileged access to the system, compromise sensitive data, or disrupt operations. Manually verifying the vendor-provided hash ensures the authenticity and integrity of the package before installation, protecting against supply chain attacks and unauthorized modifications.","checkContent":"Verify hash by obtaining the official cryptographic hash for the ColdFusion installation or upgrade package from the Adobe-provided source.\n\n1. On the system where the package is stored, compute the hash value using an approved tool (e.g., certutil on Windows or sha256sum on Linux).\n\nWindows Example:\ncertutil -hashfile ColdFusionInstaller.exe SHA256\n\nLinux Example:\nsha256sum ColdFusionInstaller.bin\n\n2. Compare the computed hash against the vendor-provided hash value.\n\nIf the computed hash does not exactly match the vendor-provided hash, this is a finding.\n\nIf there is no documented evidence that a manual hash verification was performed prior to installation or upgrade, this is a finding.","fixText":"1. Obtain the official vendor-provided cryptographic hash for the ColdFusion installation or upgrade package.\n\n2. Before installation or upgrade, compute the hash value locally using an approved tool (e.g., certutil or sha256sum).\n\n3. Compare the computed hash against the vendor-provided hash. \n\na. If the values match, proceed with installation or upgrade.\n\nb. If the values do not match, do not proceed. Redownload the package from a trusted source and reverify until the hash matches.\n\n4. Maintain documentation of the verification process for auditing purposes.","ccis":["CCI-001749"]},{"vulnId":"V-279039","ruleId":"SV-279039r1171605_rule","severity":"medium","ruleTitle":"Critical ColdFusion directories must have secure file system permissions and ownership.","description":"Controlling the overall security posture of the server encompasses controlling the patches and versions of the software running within the production environment. Patches are installed to fix security and bug issues. Vendors will often supply a feature to uninstall the patch in the event the patch does not install correctly, if the patch causes issues with hosted applications, or if the patch contains issues not found during testing. The uninstall feature is meant to be used by a system administrator (SA) to maintain a secure and stable system. In the event an attacker gains access to the uninstall functionality, they can then attempt to revert the system to an unsecure version which may have known and documented attacks that can be successful to compromise ColdFusion. \n\nTo protect against this type of attack and to further define roles for users, access to the patch management functionality is important. Proper protection is performed through assigning the appropriate roles to the users of the Administrator Console and through the least privileged permissions assigned at the OS level.","checkContent":"Verify critical ColdFusion directories have secure file system permissions and ownership appropriate to the operating system and deployment model.\n\n1. Locate the following directories within the ColdFusion installation for each ColdFusion instance:\n<ColdFusion_Install>\\bundles\n<ColdFusion_Instance>\\bin\n<ColdFusion_Instance>\\lib\n<ColdFusion_Instance>\\runtime\\lib\n<ColdFusion_Instance>\\wwwroot\\WEB-INF\\lib\n\n2. For ColdFusion running on Windows, each of the above directories must have \"Full Control\" granted to:\n- The Administrators group.\n- The user account running ColdFusion.\n\nIf any directory or file within these paths has incorrect permissions, this is a finding.\n\n3. For ColdFusion running on Linux, each directory must meet the following criteria:\n- Owner: The user account running ColdFusion.\n- Group ownership: root.\n- Permissions: Set to 740 or more restrictive.\n\nIf the ownership or permissions on any directory or file are incorrect, this is a finding.","fixText":"Update ownership and permissions on ColdFusion directories. \n\n1. Locate the following directories in the ColdFusion installation and in each ColdFusion instance:\n- bundles\n- bin\n- lib\n- runtime\\lib\n- wwwroot\\WEB-INF\\lib\n\n2. For ColdFusion running on Windows, right-click the directory (e.g., lib) and select \"Properties\".\n\n3. Select the Security tab and then click \"Advanced\".\n\n4. On the Permissions tab, click \"Disable inheritance\" and select \"Remove all inherited permissions from this object\".\n\n5. Click \"Add\".\n- In the Permission Entry dialog, click \"Select a principal\".\n- Enter the user account running the ColdFusion service.\n- Grant full control and then click \"OK\".\n\n6. Click \"Add\" again.\n- In the Permission Entry dialog, click \"Select a principal\".\n- Enter the Administrators group.\n- Grant full control and then click \"OK\".\n\n7. Check \"Replace all child object permission entries with inheritable permission entries from this object\".\n\n8. Click \"OK\" to apply the permissions.\n\n9. Repeat these steps for each of the listed directories.\n\n10. For ColdFusion running on Linux, for each directory (e.g., /opt/ColdFusion2023/cfusion/lib), set ownership and permissions using the following commands, replacing cfuser with the user running ColdFusion:\n\nchown -R <cfuser>:root /path/to/directory\nchmod -R 740 /path/to/directory\n\n11. Repeat these commands for each of the identified directories (bundles, bin, lib, runtime/lib, wwwroot/WEB-INF/lib).","ccis":["CCI-001499"]},{"vulnId":"V-279040","ruleId":"SV-279040r1171341_rule","severity":"medium","ruleTitle":"ColdFusion must configure WebSocket Service.","description":"Application servers provide a wide range of features and services, many of which may not be necessary or secure for a production DOD environment. One such feature is the ColdFusion WebSocket Service, which supports real-time, bidirectional communication for applications such as dashboards, online gaming, social networking, and live data feeds. This service communicates over HTTP or HTTPS using a proxy or the built-in WebSocket server.\n\nWhen enabled, the WebSocket Service consumes system resources and may introduce security risks if not properly configured or if left unused. These risks include unauthorized access, input injection, session hijacking, and the ability to bypass traditional security controls such as firewalls and proxies. If the WebSocket service is not actively required by hosted applications, it should be disabled to free up system resources and reduce the overall attack surface.\n\nWhen used, the WebSocket service must be securely configured.\n\nSatisfies: SRG-APP-000141-AS-000095, SRG-APP-000172-AS-000120, SRG-APP-000435-AS-000163, SRG-APP-000442-AS-000259","checkContent":"Verify the ColdFusion WebSocket configuration.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> WebSocket.\n\nIf the \"websocket\" package is not installed, this is Not Applicable.\n\n2. If \"Enable WebSocket Service\" is checked:\nIf \"Use Proxy\" is selected and the \"Port\" setting is checked, this is a finding. Non-SSL WebSocket is not permitted.\n\n3. If \"Use Built-in WebSocket Server\" is selected and the \"Port\" setting is checked, this is a finding. Non-SSL WebSocket is not permitted.\n\n4. If SSL Port is not checked, this is a finding.\n\n5. Verify SSL Port is an approved port. If not, this is a finding.\n\n6. If \"Start Flash Policy Server\" is checked, this is a finding.\n\n7. If \"Max Data Size\" is over the required maximum size, this is a finding.","fixText":"Configure ColdFusion WebSocket.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> WebSocket.\n\n2. If \"Use Proxy\" is selected, uncheck \"Port\" to disable non-SSL WebSocket connections. Non-SSL WebSocket is not permitted.\n\n3. If \"Use Built-in WebSocket Server\" is selected, uncheck \"Port\" to disable non-SSL WebSocket connections. Non-SSL WebSocket is not permitted.\n\n4. Enable encryption by checking \"SSL Port\" and enter an approved port value.\n\n5. Enter keystore and password.\n\n6. Uncheck the \"Start Flash Policy Server\".\n\n7. Set the \"Max Data Size\" to the default setting of 1024 or to the required maximum size for the hosted applications.\n\n8. Select \"Submit Changes\".","ccis":["CCI-000381","CCI-000197","CCI-002385","CCI-002422"]},{"vulnId":"V-279041","ruleId":"SV-279041r1171343_rule","severity":"medium","ruleTitle":"ColdFusion must have Event Gateway Services disabled when not in use.","description":"Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DOD system. Event Gateway Services are used to pass events from external sources to ColdFusion components that are specified. Since this gateway is accepting events from external sources, a listener must be present. When enabled, along with the listener, memory, queues, and processes are available for gateway processes. These resources can be used by an attacker and should be disabled if the feature is not being used for hosted applications.","checkContent":"Check Event Gateway Service.\n\n1. From the Admin Console Landing Screen, navigate to Event Gateways >> Settings.\n\nIf Event Gateway is not in use and \"Enable ColdFusion Event Gateway Services\" is checked, this is a finding.","fixText":"Configure Event Gateway Service.\n\n1. From the Admin Console Landing Screen, navigate to Event Gateways >> Settings.\n\n2. Uncheck \"Enable ColdFusion Event Gateway Services\". \n\n3. Select \"Submit Changes\".","ccis":["CCI-000381"]},{"vulnId":"V-279042","ruleId":"SV-279042r1171505_rule","severity":"medium","ruleTitle":"ColdFusion must have Remote Development Services (RDS) disabled.","description":"Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DOD system. RDS is used in a development environment to allow authenticated users access to the server using special features within code editors like Dreamweaver, HomeSite+, ColdFusion Studio, Eclipse, and VSCode to obtain information from the server. For example, developers can determine what data sources exist, query them, build code based on them, and more. RDS also enables access from within the editors to files on the server (even remotely) over HTTP, as an alternative to FTP. This feature is not meant for production environments.","checkContent":"Verify RDS is disabled.\n\nFrom the Admin Console Landing Screen, navigate to Security >> RDS.\n\nIf \"Enable RDS Service\" is checked, this is a finding.","fixText":"Disable RDS. \n\n1. From the Admin Console Landing Screen, navigate to Security >> RDS.\n\n2. Uncheck \"Enable RDS Service\".\n\n3. Select \"Submit Changes\".","ccis":["CCI-000381"]},{"vulnId":"V-279043","ruleId":"SV-279043r1171348_rule","severity":"low","ruleTitle":"ColdFusion must have example services removed.","description":"ColdFusion is installed with sample data services, gateway services, collections, and mappings. These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issues. Allowing them to be available on a production system provides a gateway to an attacker to ColdFusion and to systems connected to ColdFusion. To correct this issue, sample code and services must be deleted.","checkContent":"Verify Sample Services have been removed.\n\n1. From the Admin Console Landing Screen, navigate to Data & Services.\n\nIn the Data Sources tab, if the data sources cfartgallery, cfbookclub, cfcodeexplorer, or cfdocexamples exist, this is a finding.\n\nIn the ColdFusion Collections tab, if the bookclub collection exists, this is a finding.\n\nIn the GraphQL tab, if the service \"myservice\" with the path \" https://apollo-fullstack-tutorial.herokuapp.com/graphql\" exists, this is a finding.\n\n2. Navigate to Event Gateways.\n\nIn the Gateway Instances tab, if the Gateway Instance SMS Menu App exists, this is a finding.","fixText":"Remove Sample Services.\n\n1. From the Admin Console Landing Screen, navigate to Data & Services.\n\na. In the Data Sources tab, delete the data sources cfartgallery, cfbookclub, cfcodeexplorer, and cfdocexamples.\n\nb. In the ColdFusion Collections tab, delete the bookclub collection.\n\nc. In the GraphQL tab, delete the service \"myservice\" with the path \"https://apollo-fullstack-tutorial.herokuapp.com/graphql\".\n\n2. Navigate to Event Gateways.\n\na. In the Gateway Instances tab, delete the Gateway Instance SMS Menu App.","ccis":["CCI-000381"]},{"vulnId":"V-279044","ruleId":"SV-279044r1171508_rule","severity":"medium","ruleTitle":"ColdFusion must disable all remote and client-side debugging features, including Remote Inspection, Robust Exception Information, AJAX Debug Log Window, and Line Debugging.","description":"Debugging and inspection features in application servers, such as ColdFusion's Remote Inspection, Robust Exception Information, AJAX Debug Log Window, and Line Debugging, are valuable tools during development but pose significant security risks if left enabled in production environments. These features can expose detailed error messages, internal server logic, application structure, variable contents, and system information that could be leveraged by attackers to gain unauthorized access, identify exploitable vulnerabilities, or conduct reconnaissance.\n\nAllowing remote inspection or detailed debugging output in a production environment undermines the principle of least privilege and increases the risk of unauthorized disclosure of sensitive information. This violates secure coding and deployment best practices. Disabling these features mitigates the risk of information leakage.\n\nSatisfies: SRG-APP-000141-AS-000095, SRG-APP-000266-AS-000169","checkContent":"Validate Debugging and Logging settings. \n\nFrom the Admin Console Landing Screen, navigate to Debugging & Logging. \n\nIn the \"Remote Inspection Settings\" tab, if \"Allow Remote Inspection\" is checked, this is a finding.\n\nIn the \"Debug Output Settings\" tab, if \"Enable Robust Exception Information\" is checked, this is a finding.\n\nIf \"Enable AJAX Debug Log Window\" is checked, this is a finding.\n\nIn the \"Debugger Settings\" tab, if \"Allow Line Debugging\" is checked, this is a finding.","fixText":"Configure Debugging and Logging settings. \n\n1. From the Admin Console Landing Screen, navigate to Debugging & Logging.\n\n2. In the \"Remote Inspection Settings\" tab, ensure \"Allow Remote Inspection\" is unchecked.\n\n3. Select \"Submit Changes\".\n\n4. In the \"Debug Output Settings\" tab, ensure \"Enable Robust Exception Information\" is unchecked.\n\n5. Ensure \"Enable AJAX Debug Log Window\" is unchecked.\n\n6. Select \"Submit Changes\".\n\n7. In the Debugger Settings tab, ensure \"Allow Line Debugging\" is unchecked. \n\n8. Select \"Submit Changes\".","ccis":["CCI-000381","CCI-001312"]},{"vulnId":"V-279045","ruleId":"SV-279045r1171287_rule","severity":"medium","ruleTitle":"ColdFusion must have any unused mappings removed.","description":"ColdFusion mappings define virtual paths to physical directories that can be accessed by ColdFusion applications. If unused or unnecessary mappings are left configured, they can present an unmonitored and potentially exploitable entry point for attackers. These mappings may inadvertently expose internal files, application code, or sensitive resources that are not intended for public or application-level access. Attackers can leverage such mappings to bypass access controls, perform directory traversal attacks, or gain insight into the server's file structure.\n\nRemoving unused mappings reduces the attack surface and eliminates access to unnecessary or insecure directories, supporting the principle of least functionality.","checkContent":"Verify Mappings. \n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Mappings.\n\n2. For each of the mappings defined, ask the administrator if the mapping is being used by any hosted applications.\n\nIf any of the mappings are not being used by the hosted applications, this is a finding.","fixText":"Delete unused mappings.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Mappings.\n\n2. Delete any mapping that is not being used by the hosted applications.","ccis":["CCI-000381"]},{"vulnId":"V-279046","ruleId":"SV-279046r1171510_rule","severity":"low","ruleTitle":"ColdFusion must have Central Configuration Server (CCS) disabled.","description":"The ColdFusion CCS is a feature used to synchronize configuration settings across multiple ColdFusion instances. Leaving CCS enabled in a production environment especially when it is not actively used introduces unnecessary risk. If improperly secured or misconfigured, CCS can allow unauthorized access to critical configuration settings, leading to configuration drift, exposure of sensitive information, or even system compromise across multiple instances.\n\nDisabling CCS when not explicitly required helps reduce the application server's attack surface, ensures tighter control over system configurations, and limits the potential vectors for lateral movement within the environment.","checkContent":"Validate CCS is disabled.\n\nFrom the Admin Console Landing Screen, navigate to Server Settings >> CCS.\n\nIf the \"CCS Enabled\" is \"Enabled\", this is a finding.","fixText":"Disable CCS.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> CCS.\n\n2. Select \"Disabled\" on \"CCS Enabled\" setting.\n\n3. Select \"Submit Changes\".","ccis":["CCI-000381"]},{"vulnId":"V-279047","ruleId":"SV-279047r1171513_rule","severity":"low","ruleTitle":"ColdFusion must have only approved Tomcat connectors enabled.","description":"Tomcat connectors define how ColdFusion communicates with clients and other services, typically over HTTP, HTTPS, or AJP protocols. Enabling unnecessary or unapproved connectors increases the attack surface and may expose the server to vulnerabilities associated with those protocols. \n\nTo minimize risk, only approved and secure Tomcat connectors should be enabled in ColdFusion. All others must be disabled or removed from the configuration. This reduces the number of potential entry points for an attacker and helps enforce the principle of least functionality.","checkContent":"Review SSP for list of approved connectors and associated TCP/IP ports. Verify only approved connectors are present.\n\n1. Locate the server.xml file. For each ColdFusion instance, navigate to: \n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\\server.xml\n\n2. Open the server.xml file in a text editor. Locate the \"Connector\" tags that are not commented out.\n\n3. Verify all connectors and their associated network ports are approved in the system security plan (SSP).\n\nIf connectors are found but are not approved in the SSP, this is a finding.","fixText":"1. Obtain information system security officer (ISSO) approvals for the configured connectors and document in the SSP.\n\n2. Locate the server.xml file. For each ColdFusion instance, navigate to: \n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\\server.xml\n\n3. Create a backup of this file.\n\n4. Edit the file and remove any unapproved connectors by deleting the \"Connector\" tag or using XML syntax to comment out the configuration. XML comment syntax starts with <!-- and ends with -->","ccis":["CCI-000381"]},{"vulnId":"V-279048","ruleId":"SV-279048r1171516_rule","severity":"low","ruleTitle":"ColdFusion must have Tomcat configured with deployXML disabled.","description":"The deployXML setting in Tomcat controls whether the server will automatically deploy and process context.xml files found within web application directories. When enabled, this feature allows web applications to define their own context-level configurations, which may override secure global settings or introduce insecure configurations without administrator knowledge or oversight.\n\nAllowing applications to self-deploy XML configuration files increases the risk of misconfiguration, privilege escalation, or malicious reconfiguration. Disabling deployXML enforces centralized control over context configurations, reduces the risk of insecure deployments, and aligns with the principle of least functionality.","checkContent":"DeployXML Configuration in server.xml.\n\n1. Locate the server.xml file. For each ColdFusion instance, navigate to: \n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\\server.xml\n\n2. Review the server.xml configuration by opening the server.xml file in a text editor.\n\n3. Search for all <Host> elements.\n\n4. Check the deployXML attribute. Inspect each <Host> element for the deployXML setting.\n\nIf any <Host> element has \"deployXML=\"true\"\", this is a finding.","fixText":"Disable deployXML in server.xml.\n\n1. Locate the server.xml file. For each ColdFusion instance, navigate to: \n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\\server.xml\n\n2. Before making any changes, create a backup copy of the file.\n\nWindows Example:\ncopy server.xml server.xml.bak\n\nLinux Example:\ncp server.xml server.xml.bak\n\n3. Edit the configuration by opening server.xml in a text editor with administrative privileges.\n\n4. Locate all <Host> elements with:\ndeployXML=\"true\"\n\n5. Change all attributes to:\ndeployXML=\"false\"\n\n6. Restart ColdFusion to apply the configuration changes.\n\n7. Confirm that ColdFusion services started successfully.\n\n8. Reopen server.xml to confirm that deployXML=\"false\" is set for all <Host> elements.","ccis":["CCI-000381"]},{"vulnId":"V-279049","ruleId":"SV-279049r1171519_rule","severity":"low","ruleTitle":"ColdFusion must be configured with autoDeploy disabled.","description":"ColdFusion uses Tomcat for HTTP and AJP connectivity. Tomcat allows auto-deployment of applications while Tomcat is running. This can allow untested or malicious applications to be automatically loaded into production. AutoDeploy must be disabled in production. This requirement is NA for test and development systems on nonproduction networks.","checkContent":"Review the autoDeploy configuration in server.xml.\n\n1. Locate the server.xml file. For each ColdFusion instance, navigate to: \n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\\server.xml\n\n2. Review the server.xml configuration by opening the server.xml file in a text editor.\n\n3. Search for all <Host> elements.\n\n4. Check the autoDeploy Attribute. Inspect each <Host> element for the autoDeploy setting.\n\nIf any <Host> element has \"autoDeploy=\"true\"\", this is a finding.","fixText":"Disable autoDeploy in server.xml.\n\n1. Locate the server.xml file. For each ColdFusion instance, navigate to: \n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\\server.xml\n\n2. Before making any changes, create a backup copy of the file.\n\nWindows Example:\ncopy server.xml server.xml.bak\n\nLinux Example:\ncp server.xml server.xml.bak\n\n3. Edit the configuration by opening server.xml in a text editor with administrative privileges.\n\n4. Locate all <Host> elements with:\nautoDeploy=\"true\"\n\n5. Change all attributes to:\nautoDeploy=\"false\"\n\n6. Restart ColdFusion to apply the configuration changes.\n\n7. Confirm that ColdFusion services started successfully.\n\n8. Reopen server.xml to confirm that autoDeploy=\"false\" is set for all <Host> elements.","ccis":["CCI-000381"]},{"vulnId":"V-279050","ruleId":"SV-279050r1171521_rule","severity":"medium","ruleTitle":"ColdFusion must be configured with secure and approved server settings to enforce application hardening, input validation, error handling, and protection against common web vulnerabilities.","description":"ColdFusion Server Settings must be securely configured to enforce application hardening, prevent misuse of functionality, and protect against common web application vulnerabilities. These settings control critical behaviors, including request timeouts, file inclusion, POST limits, script protection, error handling, and access to internal Java components. If these settings are not properly configured according to documented security guidelines and performance parameters, ColdFusion may be exposed to a variety of threats.\n\nImproper request throttling or POST limits can lead to denial-of-service conditions, while excessive output buffer sizes and unfiltered file uploads can result in resource exhaustion or exploitation of the file system. Enabling features such as debug output, remote inspection, or detailed exception information may disclose internal logic, configuration details, or sensitive data to unauthorized users. Allowing overly permissive file inclusion or attribute handling introduces the risk of injection attacks or unintended code execution.\n\nUsing default, insecure, or unnecessary feature violates secure configuration principles and increases the application's attack surface.\n\nEnsuring ColdFusion is configured with approved and secure server settings helps maintain proper access control, input validation, error handling, and system resilience, ultimately reducing the risk of compromise or misuse.\n\nSatisfies: SRG-APP-000141-AS-000095, SRG-APP-000211-AS-000146, SRG-APP-000223-AS-000150, SRG-APP-000266-AS-000168, SRG-APP-000380-AS-000088, SRG-APP-000435-AS-000163, SRG-APP-000441-AS-000258, SRG-APP-000447-AS-000273, SRG-APP-000516-AS-000237","checkContent":"Verify Server Settings.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings.\n\nIf \"Timeout Requests after seconds\" is not set to \"5\" or is not set in accordance with the documented tuning parameters, this is a finding.\n\nIf \"Disable access to internal ColdFusion Java components\" is unchecked, this is a finding.\n\nIf \"Allow REST Discovery\" is checked, this is a finding.\n\n2. Review the \"Allow Extra Attributes in AttributeCollection\" setting.\n\nIf the nonstandard attributes are allowed to be passed to ColdFusion tags, this is a finding.\n\nIf \"Allowed file extensions for CFInclude tag\" is empty, this is not a finding.\n\nIf \"Allowed file extensions for CFInclude tag\" contains the wildcard string \"*.*\" or if the list of file extensions is not the list approved by the ISSO, this is a finding.\n\nIf \"Disable creation of unnamed applications\" is unchecked, this is a finding.\n\nIf \"Use UUID for cftoken\" is not checked, this is a finding.\n\nIf \"Allow adding application variables to Servlet Context\" is checked, this is a finding.\n\nIf \"Check configuration files for changes every\" is checked, this is a finding.\n\nIf \"Maximum number of POST request parameters\" is not set to \"50\" or is not set in accordance with documented tuning parameters, this is a finding.\n\nIf the \"Maximum Output Buffer Size\" is set to a number larger than 1024, this is a finding.\n\nIf the \"Max Unzip Ratio\" is set to a number larger than 100, this is a finding.\n\nIf the \"Request Throttle Threshold\" is set to a number larger than 4, this is a finding.\n\nIf the \"Disable CFC Type check\" is checked, this is a finding.\n\nIf the \"Prefix serialized JSON with\" is unchecked, this is a finding.\n\nIf the \"Enable Global Script Protection\" is unchecked, this is a finding.\n\nIf the \"Default ScriptSrc Directory\" is set to /cf_scripts/scripts/\", this is a finding.\n\n3. Review the \"Use UUID for cftoken\" setting.\n\nIf the cftoken is not configured to use UUID, this is a finding.\n\n4. Review the \"Prefix serialized JSON with\" setting.\n\nIf a prefix is not configured for JSON, this is a finding.\n\n5. Review the \"Blocked file extensions for CFFile uploads\" setting.\n\nIf no file extensions are set to be blocked, this is a finding.\n\n6. Validate that the \"Missing Template Handler\" setting is not blank and that the template specified is a valid.\n\nIf the \"Missing Template Handler\" parameter is blank this is a finding.\n\n7. Validate that the template exists. The path and file given are relevant to the web servers' document root directory and not the OS root directory.\n(Example: If the web servers' document root is /opt/webserver/wwwroot and the \"Missing Template Handler\" is set to /CFIDE/administrator/templates/missing_template_error.cfm, the full path to the template file is /opt/webserver/wwwroot/CFIDE/administrator/templates/missing_template_error.cfm.)\n\nIf the \"Missing Template Handler\" setting is not a valid file, this is a finding.\n\n8. Validate that the \"Site-wide Error Handler\" setting is not blank and that the template specified is valid.\n\nIf the \"Site-wide Error Handler\" parameter is blank, this is a finding.\n\n9. Validate that the template exists. The path and file given are relevant to the web servers' document root directory and not the OS root directory. (Example: If the web server's document root is /opt/webserver/wwwroot and the \"Site-wide Error Handler\" is set to /CFIDE/administrator/templates/secure_profile_error.cfm, the full path to the template file is /opt/webserver/wwwroot/CFIDE/administrator/templates/secure_profile_error.cfm.)\n\nIf the \"Site-wide Error Handler\" setting is not a valid file, this is a finding.","fixText":"Configure Server Settings.\n\n1. Set \"Timeout Requests after seconds\" to \"5\" or adjust according to documented tuning parameters.\n\n2. Check the box to disable access to internal ColdFusion Java components.\n\n3. Uncheck \"Allow REST Discovery\" if it is currently checked.\n\n4. Review and disallow nonstandard attributes from being passed to ColdFusion tags.\n\n5. Ensure \"Allowed file extensions for CFInclude tag\" is not empty and does not contain \".\" unless approved by the information system security officer (ISSO).\n\n6. Check the box to disable creation of unnamed applications.\n\n7. Check the box to use UUID for cftoken.\n\n8. Uncheck \"Allow adding application variables to Servlet Context\".\n\n9. Uncheck \"Check configuration files for changes every\".\n\n10. Set \"Maximum number of POST request parameters\" to \"50\" or adjust according to documented tuning parameters.\n\n11. Set \"Maximum Output Buffer Size\" to \"1024\" or lower.\n\n12. Set \"Max Unzip Ratio\" to \"100\" or lower.\n\n13. Set \"Request Throttle Threshold\" to \"4\" or lower.\n\n14. Uncheck \"Disable CFC Type check\".\n\n15. Check the box to prefix serialized JSON.\n\n16. Check the box to enable Global Script Protection.\n\n17. Set \"Default ScriptSrc Directory\" to a directory other than \"/cf_scripts/scripts/\".\n\n18. Ensure that \"Use UUID for cftoken\" is configured to use UUID.\n\n19. Ensure that a prefix is configured for JSON serialization.\n\n20. Ensure that file extensions are appropriately blocked as per policy.\n\n21. Ensure that \"Missing Template Handler\" is not blank and specifies a valid template path.\n\n22. Ensure that \"Site-wide Error Handler\" is not blank and specifies a valid template path.\n\n23. Select \"Submit Changes\".","ccis":["CCI-000381","CCI-001082","CCI-001664","CCI-001312","CCI-001813","CCI-002385","CCI-002420","CCI-002754","CCI-000366"]},{"vulnId":"V-279051","ruleId":"SV-279051r1171473_rule","severity":"low","ruleTitle":"ColdFusion must have the sample data directories removed.","description":"ColdFusion is installed with directories that contain sample code, data, and services. These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issues. Allowing them to be available on a production system provides a gateway to an attacker to ColdFusion and to those systems connected to ColdFusion. To alleviate this issue, sample code, data, and services must be deleted.","checkContent":"1. Locate each directory of the ColdFusion instances and observe their subdirectories.\n\nIf the \"db\" subdirectory exists, this is a finding.\n\nIf the \"cfx\" subdirectory exists, this is a finding.\n\n2. From the Admin Console Landing Screen, navigate to Package Manager >> Packages.\n\nIf the \"gateway\" subdirectory exists and the \"eventgateways\" package is not listed as installed, this is a finding.\n\nIf the \"gql\" subdirectory exists and the \"graphqlclient\" package is not listed as installed, this is a finding.","fixText":"Delete all sample directories not referenced by an installed package in each ColdFusion instance directory.","ccis":["CCI-000381"]},{"vulnId":"V-279052","ruleId":"SV-279052r1171523_rule","severity":"low","ruleTitle":"ColdFusion must have the CFSTAT feature disabled when not in use.","description":"Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DOD system. ColdFusion offers the CFSTAT command-line utility to retrieve real-time performance metrics for the system. This feature uses a socket connection to obtain the metrics which can also be used by an attacker to observe privileged information about the system and must be disabled if not in use.","checkContent":"Verify the CFSTAT feature.\n\nFrom the Admin Console Landing Screen, navigate to Debug & Logging >> Debug Output Settings.\n\nIf CFSTAT is not in use and \"Enable CFSTAT\" is checked, this is a finding.","fixText":"Configure the CFSTAT feature.\n\n1. From the Admin Console Landing Screen, navigate to Debug & Logging >> Debug Output Settings.\n\n2. Uncheck \"Enable CFSTAT\".\n\n3. Select \"Submit Changes\".","ccis":["CCI-000381"]},{"vulnId":"V-279053","ruleId":"SV-279053r1171525_rule","severity":"medium","ruleTitle":"ColdFusion must disable the In-Memory File System.","description":"Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DOD system. ColdFusion offers an in-memory file system. This feature can be used to have dynamic code execute quickly which in turns enables an application to execute quicker. This feature can also be used by an attacker to execute dynamic code that is erased and unrecoverable on system reboot making forensic analysis impossible.","checkContent":"Verify the In-Memory File System setting.\n\nFrom the Admin Console Landing Screen, navigate to Server Settings >> Settings.\n\nIf hosted applications are using the in-memory file system, this is not a finding.\n\nIf \"Enable In-Memory File System\" is checked, this is a finding.","fixText":"Configure the In-Memory File System setting.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings.\n\n2. Uncheck \"Enable In-Memory File System\".\n\n3. Select \"Submit Changes\".","ccis":["CCI-000381"]},{"vulnId":"V-279054","ruleId":"SV-279054r1171443_rule","severity":"medium","ruleTitle":"ColdFusion must restrict unauthorized remote access to the ColdFusion Administrator Console and ensure all ports used are approved and properly secured.","description":"Some networking protocols may not meet organizational security requirements to protect data and components.\n\nColdFusion may host a number of various features, such as the Administrator Console, data sources, and various services. These features all run on TCPIP ports and protocols. This creates the potential for the vendor or ColdFusion administrator to use port numbers or protocols that have been deemed unusable by the organization. When ports or protocols are used that are not secure or authorized by the organization, the ColdFusion feature must be reconfigured to use an authorized port and protocol.\n\nFor a list of approved ports and protocols, reference the DOD ports and protocols web site at https://powhatan.iiie.disa.mil/ports/cal.html.","checkContent":"Verify that remote access to the ColdFusion Administrator Console is appropriately restricted and that all configured ports, including WebSocket configurations, comply with approved organizational policies.\n\n1. Validate Access Scope to the Administrator Console. \n\n2. Identify whether the ColdFusion Administrator Console is accessible via any IP address other than localhost.\n\n3. If remote (nonlocalhost) access is possible, confirm whether the server is designated for remote administration.\n\nIf remote access is enabled on a server intended for local administration only, this is a finding.\n\n4. Confirm Administrator Console Port Compliance. Access the ColdFusion Administrator Console in a web browser.\n\nIf the URL specifies a port number, verify the port is approved per organizational policy.\n\nIf an unapproved port is used, this is a finding.\n\n5. Review Data & Services Connection Ports. From the Admin Console Landing Screen, navigate to Data & Services.\n\n6. For each tab, review port configurations for all connections and services.\n\nIf any service is configured to use a nonapproved port, this is a finding.","fixText":"Restrict unauthorized remote access to the ColdFusion Administrator Console and ensure all ports used, including WebSocket configurations, are approved and properly secured.\n\nIf the ColdFusion server is to be administered locally only:\n\n1. Locate the server.xml file for ColdFusion.\n\nLinux:\n<ColdFusion Install Directory>/runtime/conf/server.xml\n\nWindows:\n<ColdFusion Install Directory>\\runtime\\conf\\server.xml\n\n2. Create a backup copy of server.xml before making changes.\n\n3. Edit the file and update all <Connector> tags for HTTP and HTTPS to include:\naddress=\"127.0.0.1\"\n(This restricts access to the local server only.)\n\n4. Restart ColdFusion to apply the changes.\n\n5. Verify that the ColdFusion Administrator Console is accessible only from the local server and not from any external IP addresses.\n\n6. If local access is confirmed, remove the backup file to avoid configuration confusion.\n\n7. For any \"Data & Services\" configurations using unapproved ports:\n\na. Reconfigure all affected services or data connections to use approved ports in accordance with organizational policy.\n\nb. Save changes and restart services.","ccis":["CCI-000382"]},{"vulnId":"V-279055","ruleId":"SV-279055r1171527_rule","severity":"high","ruleTitle":"ColdFusion must be using an enterprise solution for authentication.","description":"If ColdFusion is not integrated with an enterprise authentication solution, the system may rely on unmanaged local accounts that are difficult to monitor, audit, and control. This can lead to inconsistent password policies, outdated or orphaned credentials, and a lack of centralized visibility over user access.\n\nThis STIG standard requires using LDAP as the enterprise authentication mechanism. LDAP integration ensures that authentication is managed through a centralized directory, allowing for strong password enforcement, account lifecycle management, role-based access control, and consolidated audit logging. Without LDAP integration, users may circumvent enterprise identity governance policies, increasing the risk of unauthorized access and administrative oversight gaps.\n\nEnterprise authentication also supports incident response and forensic analysis by enabling consistent tracking of user activities across systems. Relying on ColdFusion's internal authentication alone limits these capabilities and weakens the overall security posture.\n\nIntegrating ColdFusion with an LDAP-based enterprise authentication service ensures alignment with DOD security standards, improves identity management, and reduces the risk of account compromise or privilege escalation.\n\nSatisfies: SRG-APP-000149-AS-000102, SRG-APP-000118-AS-000078, SRG-APP-000120-AS-000080, SRG-APP-000133-AS-000092, SRG-APP-000148-AS-000101, SRG-APP-000391-AS-000239, SRG-APP-000392-AS-000240, SRG-APP-000402-AS-000247, SRG-APP-000403-AS-000248, SRG-APP-000404-AS-000249, SRG-APP-000405-AS-000250, SRG-APP-000495-AS-000220, SRG-APP-000499-AS-000224, SRG-APP-000506-AS-000231, SRG-APP-000163-AS-000111, SRG-APP-000705-AS-000110","checkContent":"Verify LDAP is in use.\n\nFrom the Admin Console Landing Screen, navigate to Security >> Administrator.\n\nIf \"External Authentication\" is set to \"NONE\", this is a finding.","fixText":"Configure LDAP.\n\n1. From the Admin Console Landing Screen, navigate to Security >> Administrator >> External Authentication\" tab.\n\n2. Configure LDAP:\n- Select \"LDAP\" option.\n- Click \"Edit LDAP Configuration\".\n- Enter LDAP Details.\n- Click \"SAVE\".\n\n3. If connection is verified, click \"Submit Changes\".","ccis":["CCI-000765","CCI-000162","CCI-000164","CCI-001499","CCI-000764","CCI-001953","CCI-001954","CCI-002009","CCI-002010","CCI-002011","CCI-002014","CCI-000172","CCI-000795","CCI-003628"]},{"vulnId":"V-279056","ruleId":"SV-279056r1171606_rule","severity":"medium","ruleTitle":"Web services using Simple Object Access Protocol (SOAP) to access sensitive data must be secured with WS-Security.","description":"Application servers may provide a web service capability that could be leveraged to allow remote access to sensitive application data.\n\nMany web services use SOAP, which in turn uses XML and HTTP as a transport. Natively, SOAP does not provide security protections. Therefore, ColdFusion must provide security extensions to enhance SOAP capabilities to ensure that secure authentication mechanisms are employed to protect sensitive data. The ws-security suite is a widely used and acceptable SOAP security extension.\n\nColdFusion offers SOAP capabilities but does not offer any type of security for these services. To extend the security of the SOAP protocol, an administrator must install the ws-security suite to enhance SOAP through Java Web Services and configure the ws-security features within the new object. This new object then becomes the wrapper for the SOAP communication, securing the sensitive data.","checkContent":"Verify that web services using the SOAP protocol to access sensitive data are secured with WS-Security.\n\n1. Determine Web Services Usage by interviewing the system administrator (SA), or reviewing relevant documentation, including:\n- Hosted application source code.\n- Application design documentation.\n- Published web services design documentation.\n- ColdFusion baseline documentation.\n\n2. Evaluate Applicability. \n\nIf no web services are published, this requirement is not a finding.\n\nIf web services are published and the SOAP protocol is not used, this is not a finding.\n\nIf SOAP is used and the data accessed is not sensitive, this requirement is not a finding.\n\n3. Verify Security Controls. If web services are published using SOAP to access sensitive data:\n\na. Confirm that WS-Security is implemented to provide secure authentication and protect the data.\n\nb. This may be verified by interviewing the administrator or reviewing the documentation sources listed above.\n\nIf web services are published using SOAP to access sensitive data and WS-Security is not implemented, this is a finding.","fixText":"Configure web services using the SOAP protocol to access sensitive data.\n\n1. Install and configure the WS-Security suite to secure access to the sensitive data.\n\n2. Ensure the configuration provides:\n- Authentication of service consumers.\n- Message integrity (e.g., via XML signatures).\n- Confidentiality (e.g., via encryption).\n\n3. Update application and service documentation to reflect the WS-Security implementation.","ccis":["CCI-001941"]},{"vulnId":"V-279057","ruleId":"SV-279057r1171529_rule","severity":"medium","ruleTitle":"ColdFusion must store only encrypted representations of passwords.","description":"Applications must enforce password encryption when storing passwords. Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised.\n\nApplication servers provide either a local user store or they integrate with enterprise user stores like LDAP. When ColdFusion is responsible for creating or storing passwords, ColdFusion must enforce the storage of encrypted representations of passwords.","checkContent":"Verify Proxy Settings.\n\nFrom the Admin Console Landing Screen, navigate to Server Settings >> Settings.\n\nIf a \"Proxy Host\" is provided with a \"Proxy Username\" and \"Proxy Password\", this is a finding.","fixText":"Configure Proxy Settings.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings.\n\n2. Clear the \"Proxy Host\", Proxy UserName\", and \"Proxy Password\" fields.\n\n3. Select \"Submit Changes\".","ccis":["CCI-000196"]},{"vulnId":"V-279058","ruleId":"SV-279058r1171531_rule","severity":"medium","ruleTitle":"ColdFusion must transmit only encrypted representations of passwords to NoSQL data sources.","description":"When data is transmitted between ColdFusion and the datasources without encryption, it is vulnerable to interception and unauthorized access. This can lead to the exposure of sensitive information, including personal data, authentication credentials, and other confidential information. By requiring each of the data sources to use encryption for data transmission, ColdFusion ensures that the credentials and data are protected from eavesdropping and tampering. This practice helps maintain the confidentiality and integrity of the data, thereby enhancing the overall security of the server and the applications it hosts. Regularly verifying and enforcing using encryption for all datasource connections is essential for maintaining a secure server environment.","checkContent":"1. From the Admin Console Landing Screen, navigate to Data & Services >> NoSQL Data Sources.\n\n2. For each \"Connected NoSQL Data Source\" configured, examine the settings and verify if encryption is enabled and properly configured for each data source connection.\n\nIf any NoSQL data source is found without encryption enabled, this is a finding.\n\nIf any NoSQL data source does not have \"Enable SSL \" checked, this is a finding.","fixText":"1. From the Admin Console Landing Screen, navigate to Data & Services >> NoSQL Data Sources.\n\n2. Make the necessary changes to the data source to use encryption.\n\n3. Check \" Enable SSL\" checkbox.\n\n4. Select \"Submit\".","ccis":["CCI-000197"]},{"vulnId":"V-279059","ruleId":"SV-279059r1171533_rule","severity":"medium","ruleTitle":"ColdFusion must only transmit encrypted representations of passwords to the Solr Server.","description":"Solr is an open-source search platform used for indexing and searching data. When data is transmitted between ColdFusion and the Solr Server without encryption, it is vulnerable to interception and unauthorized access. This can lead to the exposure of sensitive information, including search queries, indexing data, and other confidential information. By requiring the Solr Server connection to use encryption for data transmission, the ColdFusion server ensures that the data is protected from eavesdropping and tampering. This practice helps maintain the confidentiality and integrity of the data, thereby enhancing the overall security of the server and the applications it hosts. Regularly verifying and enforcing using encryption for all Solr Server connections is essential for maintaining a secure server environment.","checkContent":"If the Solr package is not installed, this is Not Applicable.\n\nVerify encryption to the Solr Server.\n\nFrom the Admin Console Landing Screen, navigate to Data & Services >> Solr Server.\n\nIf the Solr Host Name is \"localhost\", this is not a finding.\n\nIf the \"Use HTTPS connection\" setting is unchecked or \"Solr Admin HTTPS Port\" is zero, this is a finding.","fixText":"If the Solr package is not installed, this finding is Not Applicable.\n\nConfigure encryption to the Solr Server.\n\n1. From the Admin Console Landing Screen, navigate to Data & Services >> Solr Server.\n\n2. Check \"Use HTTPS connection\" checkbox.\n\n3. Enter the Solr Admin HTTPS Port.\n\n4. Select \"Submit Changes\".","ccis":["CCI-000197"]},{"vulnId":"V-279060","ruleId":"SV-279060r1171535_rule","severity":"medium","ruleTitle":"ColdFusion must transmit only encrypted representations of passwords to the mail server.","description":"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\nColdFusion may use username/password to connect to a mail server. When this authentication method is used, it is important that the credentials be protected when transmitted by being encrypted. While TLS encryption is the preferred method by DOD, SSL can be used when the mail server does not offer any other method of encryption.\n\nSatisfies: SRG-APP-000172-AS-000120, SRG-APP-000435-AS-000163, SRG-APP-000516-AS-000237","checkContent":"If the \"mail\" package is not installed, this is Not Applicable.\n\nVerify Mail Service Configurations.\n\nFrom the Admin Console Landing Screen, navigate to Server Settings >> Mail.\n\nIf no mail server is configured, this requirement is not a finding.\n\nIf a username and password are required for authentication and \"Enable TLS connection to mail server\" is unchecked and \"Enable SSL socket connects to mail server\" is unchecked, this is a finding.\n\nIf \"Spool mail messages for delivery to\" is unchecked, this is a finding.\n\nIf \"Connection Timeout (in seconds)\" is set to greater than 15 seconds, this is a finding.\n\nIf \"Log all mail messages sent by ColdFusion\" is not checked, this is a finding.\n\nIf the default and recommended setting of \"Warning\" is not selected for error log severity, this is a finding.","fixText":"If the \"mail\" package is not installed, this is Not Applicable.\n\nConfigure Mail Service.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Mail.\n\n2. Enable SSL/TLS:\n- If a username and password are required for authentication, check \"Enable SSL socket connections to mail server\" setting.\n- Check \"Enable TLS connection to mail server\" setting.\n\n3. Mail Spool Settings: \n- Uncheck \"Spool mail messages for delivery to\" setting.\n\n4. Set the \"Connection Timeout(in seconds)\" setting to 15 seconds or fewer.\n\n5. Mail Logging Settings:\n- Check \"Log all mail messages sent by ColdFusion setting.\n- Select \"Warning\" for Error Log Severity.\n\n6. Select \"Submit Changes\" to save the new settings.","ccis":["CCI-000197","CCI-002385","CCI-000366"]},{"vulnId":"V-279061","ruleId":"SV-279061r1171537_rule","severity":"medium","ruleTitle":"ColdFusion must only transmit encrypted representations of passwords to the caching server.","description":"Redis is an in-memory data structure store used as a database, cache, and message broker. When data is transmitted between ColdFusion and the Redis caching server without encryption, it is vulnerable to interception and unauthorized access. This can lead to the exposure of sensitive information, including cached data, session information, and other confidential data. By requiring the Redis caching server connection to use encryption for data transmission, ColdFusion ensures that the credentials and data are protected from eavesdropping and tampering. This practice helps maintain the confidentiality and integrity of the data, thereby enhancing the overall security of the server and the applications it hosts. Regularly verifying and enforcing with encryption for all Redis caching server connections is essential for maintaining a secure server environment.","checkContent":"Verify Redis Cache encryption.\n\nFrom the Admin Console Landing Screen, navigate to Server Settings >> Caching.\n\nIf the \"Redis Server\" setting is \"localhost\" or blank, this requirement is not a finding.\n\nIf \"Password\" is blank, this is not a finding.\n\nIf \"Is SSL Enabled\" is unchecked, this is a finding.","fixText":"Configure Redis Cache encryption.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Caching.\n\n2. Enable encryption by checking \"Is SSL Enabled\".\n\n3. Select \"Submit Changes\".","ccis":["CCI-000197"]},{"vulnId":"V-279062","ruleId":"SV-279062r1171539_rule","severity":"medium","ruleTitle":"JVM Arguments must be configured for encryption.","description":"Ensuring that ColdFusion transmits only encrypted representations of passwords to the proxy server is critical for maintaining the security and integrity of sensitive information. When passwords are transmitted in plain text, they are vulnerable to interception by unauthorized parties, which can lead to unauthorized access and potential data breaches. Encrypting passwords during transmission helps protect against these risks by ensuring that even if the data is intercepted, it cannot be easily deciphered and misused.\n\nBy implementing encryption for password transmission to the proxy server, ColdFusion can safeguard user credentials and maintain the confidentiality and integrity of the data being transmitted. This practice aligns with best security practices and helps prevent unauthorized access to sensitive information.","checkContent":"Verify JVM Arguments are configured for encryption.\n\nFrom the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM.\n\nIf any JVM Arguments contain the setting \"Dhttp.proxyHost\", this is a finding.","fixText":"Configure JVM Arguments for encryption.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM.\n\n2. In \"JVM Arguments\", enable encryption by changing any JVM Argument starting with \"Dhttp.proxy\" to \"-Dhttps.proxy\".\n\n3. Select \"Submit Changes\".\n\n4. Restart ColdFusion for the changes take effect.","ccis":["CCI-000197"]},{"vulnId":"V-279063","ruleId":"SV-279063r1171542_rule","severity":"medium","ruleTitle":"ColdFusion must be configured to use only DOD-approved keystores and truststores containing certificates issued by a DOD Public Key Infrastructure (PKI) Certificate Authority (CA), and all keystore and truststore files must be protected by file system permissions that prevent unauthorized access or modification.","description":"Keystores and truststores are critical components in securing communication between applications and services. If ColdFusion is configured to use certificates that are not issued by a DOD-approved Certificate Authority (CA), the authenticity and trustworthiness of encrypted communications cannot be guaranteed. Accepting certificates from untrusted or self-signed sources introduces the risk of man-in-the-middle (MitM) attacks, unauthorized access, and spoofing.\n\nKeystore and truststore files contain sensitive cryptographic material, including private keys and trusted root certificates. If these files are not adequately protected at the file system level, unauthorized users may gain access and exploit them to impersonate services, decrypt communications, or alter trust relationships. Insecure permissions may also allow modification of trusted CAs, weakening the system's ability to verify legitimate certificates.\n\nRestricting keystore usage to DOD-approved certificates and enforcing strict file-level access controls helps ensure data confidentiality, integrity, and authenticity. It also aligns with DOD PKI requirements and mitigates the risk of compromise through unauthorized certificate usage or tampering with trust anchors.\n\nSatisfies: SRG-APP-000176-AS-000125, SRG-APP-000175-AS-000124, SRG-APP-000427-AS-000264, SRG-APP-000514-AS-000137","checkContent":"Verify Keystore Location and Permission.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> WebSocket.\n\n2. If the \"Use Built-in WebSocket Server\" option is selected and the \"SSL Port\" is checked, make note of the keystore path and filename.\n\n3. From the Admin Console Landing Screen, navigate to Server Settings >> Mail.\n\n4. If \"Sign the mail\" is checked, record the keystore path and filename.\n\n5. Review JVM truststore settings by navigating to Server Settings >> Java and JVM.\n\n6. Check if JVM Arguments include a truststore setting. For example:\n-Djavax.net.ssl.trustStore=/path/to/truststore\n\n7. If present, record the truststore path and filename.\n\n8. If the \"JVM Arguments\" does not contain a truststore setting, note the path and file name of the default \"cacerts\" file (found under the directory \"Java Virtual Machine Path\" settings' subdirectory \\lib\\security).\n\n9. In each of the ColdFusion instances <ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf, open the server.xml file. Verify all uncommented connector tags for the word \"keystorefile\".\n\n10. Record any keystore path and filename.\n\n11. For the keystore/ truststore used, use the keytool command to display the CA certificates for the defined keystore/truststore:\nkeytool -list -keystore <trust/key store location>\n\nIf there are no certificates issued by a CA that is part of the DOD PKI/PKE, this is a finding.\n\n12. Verify Permissions on each keystore/truststore file:\n\na. For Windows:\nThe file permissions must grant Full Control only to the Administrators group and the account running the ColdFusion service. No other users or groups should have permissions.\n\nIf additional permissions are present, this is a finding.\n\nb. For Linux:\nFile permissions must be 640 or more restrictive. The owner must be root, and the group must include the ColdFusion runtime user.\n\nIf permissions are more permissive than listed above, this is a finding.","fixText":"Configure Keystore Location and Permission.\n\n1. For all untrusted certificates identified, execute the following command:\nC:\\ColdFusion2023\\jre\\bin\\keytool -delete -alias \"<certificate alias>\" -keystore <keystorefile>\n\n2. Follow the platform-specific steps below to remediate permissions.\n\nColdFusion Running on Windows:\na. Right-click the keystore or truststore file and select \"Properties\".\n\nb. Click the Security tab and then click \"Advanced\".\n\nc. In the Permissions tab, click \"Disable\" inheritance. Select \"Remove all inherited permissions from this object\".\n\nd. Click \"Add\".\n\ne. In the Permission Entry dialog, click \"Select a principal\". Enter the user account running the ColdFusion service. Assign Read permission and then click \"OK\".\n\nf. Click \"Add\" again. Click \"Select a principal\". Enter the Administrators group. Assign Full Control and then click \"OK\".\n\ng. Replace all child object permission entries with inheritable permission entries from this object.\n\nh. Click \"OK\" to apply the changes.\n\nResult: Only the Administrators group (Full Control) and the ColdFusion service account (Read) have access. No other permissions remain.\n\nColdFusion Running on Linux:\na. For each keystore or truststore file identified, run the following commands (adjust paths and group names as appropriate):\nchown root:<cfusion_group> /path/to/keystorefile\nchmod 640 /path/to/keystorefile\n\nExample:\nchown root:cfgroup /opt/coldfusion2023/jre/lib/security/cacerts\nchmod 640 /opt/coldfusion2023/jre/lib/security/cacerts\n\nResult: Owner is root.\nGroup is the group that includes the ColdFusion runtime user.\nPermissions are 640 (read/write for owner, read for group, none for others).\n\nb. Restart ColdFusion to ensure that it starts without error.\n\nc. Verify secure mail and WebSocket connections continue to function.\n\nd. Recheck the Admin Console settings to confirm no keystore paths were altered unintentionally.","ccis":["CCI-000186","CCI-000185","CCI-002470","CCI-002450"]},{"vulnId":"V-279064","ruleId":"SV-279064r1171544_rule","severity":"medium","ruleTitle":"The ColdFusion Administrator Console must be hosted on a management network.","description":"ColdFusion is composed of two primary components: the Administrator Console and the hosted applications. Separating the Administrator Console from the hosted application environment enforces a strong security boundary, requiring users to authenticate with privileged credentials before gaining access to management functionality. This separation ensures that nonprivileged users—such as application users—are not presented with administrative interfaces or options, effectively reducing the attack surface and minimizing the potential for privilege escalation.\n\nRestricting visibility into administrative functions also limits the exposure of sensitive configuration details. In the event a nonprivileged account is compromised, the attacker gains no insight into ColdFusion's management features or internal architecture, impeding reconnaissance efforts and slowing down the progression of an attack.\n\nHosting the Administrator Console on a dedicated management network ensures the console is accessible only from authorized administrative devices, isolates it from the application traffic and users, and reduces the risk of accidental exposure. Management networks also enforce encryption and strict access controls, providing additional protection against data leakage and unauthorized access to ColdFusion's administrative interface.","checkContent":"Access the Administrator Console via a web browser. Record the IP address used to reach the console.\n\nReview the network diagram for the site to verify that this IP address belongs to a dedicated management network that is segmented from any public or production networks.\n\nIf the Administrator Console is not hosted on a management network separate from the public network, this is a finding.","fixText":"Host the ColdFusion Administrator Console on a management network.","ccis":["CCI-001082"]},{"vulnId":"V-279065","ruleId":"SV-279065r1171383_rule","severity":"medium","ruleTitle":"ColdFusion must have sandboxes enabled and defined.","description":"ColdFusion consists of two distinct components: the Administrator Console and the hosted applications. Separating these components is essential for enforcing strict access control and limiting exposure of administrative functionality. By requiring privileged authentication to access the Administrator Console, ColdFusion ensures that nonprivileged users cannot view or interact with system-level management features. This prevents unauthorized users from gaining insight into administrative capabilities or system configurations, reducing the risk of privilege escalation or targeted attacks.\n\nIsolating the Administrator Console within its own sandboxed environment further strengthens security by preventing hosted applications from accessing, reusing, or modifying administrative objects or code. This containment ensures that management operations and configuration data are protected from unintended or malicious interaction by hosted application processes. In the event a hosted application is compromised, this isolation prevents the attacker from pivoting into the administrative layer of the application server.\n\nThis architecture enforces proper input validation and access control between application tiers and components, helping prevent unauthorized access to privileged functions, configuration data, or sensitive objects. It supports a layered defense model by limiting trust boundaries and reducing the likelihood of administrative compromise due to application-level vulnerabilities.\n\nSatisfies: SRG-APP-000211-AS-000146, SRG-APP-000516-AS-000237","checkContent":"Verify Sandbox Security.\n\n1. From the Admin Console Landing Screen, navigate to Server Security >> Sandbox Security.\n\n2. The Administrator Console must have a sandbox separate from the other hosted applications.\n\nIf there are no sandboxes implemented for the Administrator Console, this is a finding.\n\n3. Sandboxes must be set up for all other hosted applications. \n\nIf there are no sandboxes implemented for other hosted applications, this is a finding.\n\nIf the \"Enable ColdFusion Sandbox Security\" is not checked, this is a finding.","fixText":"Configure Sandbox Security.\n\n1. From the Admin Console Landing Screen, navigate to Server Security >> Sandbox Security.\n\n2. Check the \"Enable ColdFusion Sandbox Security\".\n\n3. Create sandboxes for the applications.\n\n4. Create a sandbox for the Administrator Console.\n\n5. Select \"Submit Changes\".","ccis":["CCI-001082","CCI-000366"]},{"vulnId":"V-279066","ruleId":"SV-279066r1171607_rule","severity":"medium","ruleTitle":"ColdFusion must separate the hosted application from the web server.","description":"Separating hosted ColdFusion applications from the web server is critical for enforcing strong access control and minimizing the risk of unauthorized access to sensitive server components. When hosted applications and the web server operate within the same execution context or process space, vulnerabilities in one can directly compromise the other.\n\nSeparating the hosted application logic from the core web server components limits the application's access to only the resources it requires. This containment ensures that application-level vulnerabilities cannot be easily escalated to affect the broader server environment. It also allows for more granular security controls, input validation, and auditing.\n\nThis separation supports defense-in-depth by establishing clear trust boundaries between application and server functions. It enforces the principle of least privilege, protects critical infrastructure from exploitation.","checkContent":"If a separate web server is used for hosted applications, requirement is Not Applicable.\n\n1. From the Admin Console Landing Screen., navigate to Enterprise Manager >> Instance Manager.\n\nIf all of the hosted applications have their own instance(s) under \"Available Servers\", this is not a finding.\n\nIf neither web servers nor separate instances are being used, this is a finding.","fixText":"If a separate web server is used for hosted applications, requirement is Not Applicable.\n\n1. Set up the web server.\n\nFor Linux:\nExecute the Web Server Configuration tool. In the ColdFusion install folder, find:\n<ColdFusion_Installation_Directory> /cfusion/runtime/bin/wsconfig \n\nFor Windows:\nIn the ColdFusion install folder, find:\n<ColdFusion_Installation_Directory> \\cfusion\\runtime\\bin\\wsconfig.exe\n\n2. In the tool, click \"Add\".\n\n3. Provide the application server host, instance, and cluster.\n\n4. Enter the appropriate Web Server Properties.\n\n5. Select \"OK\".\n\n6. Set up separate instances.\n\na. From the Admin Console Landing Screen, navigate to Enterprise Manager >> Instance Manager.\n\nb. Select \"Add New Instance\".\n\nc. Enter a server name.\n\nd. Choose a directory.\n\ne. Select \"Submit\".","ccis":["CCI-001082"]},{"vulnId":"V-279067","ruleId":"SV-279067r1171547_rule","severity":"medium","ruleTitle":"ColdFusion must be configured to mutually authenticate connecting proxies and load balancers.","description":"Mutual authentication between connecting proxies, application servers, or gateways is essential for ensuring secure communication and preventing unauthorized access. Without mutual authentication, there is a risk that an attacker could impersonate a trusted component, leading to potential data breaches and other security incidents. Mutual authentication helps verify the identities of both parties involved in the communication, ensuring that only trusted entities can interact with ColdFusion. This process involves the exchange of certificates and the validation of these certificates against a trusted certificate authority. By implementing mutual authentication, ColdFusion can establish a secure and trusted communication channel, protect sensitive data and maintain the integrity of the system. Therefore, it is crucial to configure ColdFusion to mutually authenticate all connecting proxies, application servers, or gateways to enhance security and prevent unauthorized access.","checkContent":"Validate SSL Certificate.\n\n1. Identify any proxy servers or load balancers that provide services for the Tomcat server. If there are no load balancers or proxies in use, this is not a finding.\n\n2. Identify each ColdFusion IP address that is served by a load balancer or proxy. Locate the configuration file. For each ColdFusion instance, navigate to: \n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\\server.xml\n\n3. Open the server.xml file in a text editor and review each <Connector> element for the address setting and the clientAuth setting.\n\nIf a connector has a configured IP address that is proxied or load balanced and the clientAuth setting is not \"true\", this is a finding.\n\n4. Locate the configuration file. For each ColdFusion instance, navigate to: \n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\\web.xml\n\n5. Open the web.xml file in a text editor.\n\nIf \"<login-config><auth-method>CLIENT-CERT</auth-method></login-config>\" is not present under the web-app tag, this is a finding.","fixText":"Configure SSL Certificate.\n\nFor server.xml:\n1. For each ColdFusion instance, navigate to: \n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\\server.xml\n\n2. Before making changes, back up the file to prevent accidental misconfiguration.\n\n3. Open server.xml in a text editor with administrative privileges.\n\nFor web.xml:\n1. For each ColdFusion instance, navigate to: \n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\\web.xml\n\n2. Before making changes, back up the file to prevent accidental misconfiguration.\n\n3. Open web.xml in a text editor with administrative privileges.\n\n4. Ensure the <login-config><auth-method>CLIENT-CERT</auth-method></login-config> is present under the web-app tag.\n\n5. Save and close the file. Restart ColdFusion to apply the changes.","ccis":["CCI-001184"]},{"vulnId":"V-279068","ruleId":"SV-279068r1172825_rule","severity":"high","ruleTitle":"ColdFusion must generate a unique session identifier using a FIPS 140-2/140-3 or higher approved random number generator.","description":"ColdFusion uses session IDs to communicate between modules or applications within ColdFusion and between ColdFusion and users. The session ID allows the application to track the communications along with credentials that may have been used to authenticate users or modules.\n\nUnique session IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of said identifiers.\n\nUnique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.","checkContent":"Review the random number generator for generating session identifiers.\n\n1. Locate the java.security file for the Java Runtime Environment (JRE) used by ColdFusion located at:\n <ColdFusion_Installation_Directory>\\jre\\conf\\security\\java.security\n\n2. Open the java.security file in a text editor.\n\n3. Locate the following setting:\nsecurerandom.strongAlgorithms\n\n4. Verify that the value includes a FIPS 140-2/140-3 or higher approved random number generator. For example:\nsecurerandom.strongAlgorithms=DRBG:SUN\n\nIf the securerandom.strongAlgorithms setting does not exist or does not specify a FIPS 140-2/140-3 or higher approved algorithm, this is a finding.","fixText":"Configure the random number generator for generating session identifiers.\n\n1. Open the java.security file located at: <ColdFusion_Installation_Directory>\\jre\\conf\\security\\java.security\n\n2. Locate or add the securerandom.strongAlgorithms property and configure it to use a FIPS-approved RNG. For example:\nsecurerandom.strongAlgorithms=DRBG:SUN\n\n3. Save the file and restart ColdFusion to apply changes.","ccis":["CCI-001188"]},{"vulnId":"V-279069","ruleId":"SV-279069r1171551_rule","severity":"medium","ruleTitle":"ColdFusion systems must provide clustering.","description":"Clustering enables ColdFusion to distribute workloads across multiple application server instances, providing load balancing, session replication, and failover capabilities. Without clustering, ColdFusion operates as a single point of failure.\n\nClustering ensures service continuity by allowing traffic to be rerouted to healthy nodes in the event of a failure. It also enhances performance by distributing resource-intensive operations across multiple servers, reducing response times and increasing application scalability. This capability supports the organization's high availability and disaster recovery objectives by reducing the risk of downtime or service degradation.\n\nClustering supports secure session management by enabling session failover and persistence. This helps maintain user experience and security during node transitions, ensuring continuity of authenticated sessions without requiring users to reauthenticate.\n\nColdFusion must be capable of supporting clustering to meet enterprise availability requirements, enable horizontal scaling, and ensure that critical applications remain resilient under varying load and failure conditions.\n\nSatisfies: SRG-APP-000225-AS-000154, SRG-APP-000435-AS-000069","checkContent":"Verify that systems are configured to support redundancy through clustering or load balancing.\n\n1. Confirm whether the system is designated as mission critical and requires high availability.\n\n2. From the Admin Console Landing Screen, navigate to Enterprise Manager >> Cluster Manager.\n\n3. Verify clusters are defined and each cluster includes more than one server.\n\n4. If no clusters are defined or a cluster contains only one server, interview the system administrator to determine whether the server is part of an external load balancer configuration.\n\n5. Verify that the load balancer includes multiple backend servers for redundancy.\n\nIf the system is mission critical and no clusters are configured, and the server is not part of an external load balancer with more than one backend server, this is a finding.","fixText":"If using an external load balancer, configure and associate multiple servers behind the load balancer to ensure redundancy and high availability.\n\n1. Confirm that the load balancer distributes traffic across all configured servers. If using ColdFusion clustering capabilities, from the Admin Console Landing Screen, navigate to Enterprise Manager >> Cluster Manager.\n\n2. Enter a Cluster Name and click \"Add\".\n\n3. Under \"Actions\", click the Edit icon for the new cluster.\n\n4. Add the required servers to the cluster configuration.\n\n5. Click \"Submit\" to save the cluster.\n\n6. Edit an Existing Cluster (if applicable). Under \"Actions\", click the Edit icon next to the existing cluster.\n\n7. Add additional servers to ensure the cluster contains more than one server.\n\n8. Click \"Submit\" to update the configuration.","ccis":["CCI-001190","CCI-002385"]},{"vulnId":"V-279070","ruleId":"SV-279070r1172833_rule","severity":"medium","ruleTitle":"ColdFusion must be configured to support integration with a third-party Security Information and Event Management (SIEM) to support notifications.","description":"ColdFusion must be capable of integrating with a third-party SIEM solution to provide centralized log collection, event correlation, and real-time alerting. Without integration into a SIEM, audit records generated by ColdFusion may remain isolated on the local system, limiting visibility and hindering the ability of security personnel to detect, investigate, and respond to suspicious activity or system misconfigurations.\n\nTimely notifications of security-relevant events are critical for incident response and continuous monitoring. If ColdFusion is not configured to transmit these logs or events to an external monitoring platform, malicious activity may go undetected until after significant damage has occurred.\n\nSIEM integration also supports compliance with audit and accountability requirements by ensuring audit data is retained in a secure, tamper-evident location outside the local ColdFusion instance. In the event of system compromise, this external logging provides a reliable forensic trail and helps validate system integrity.\n\nSatisfies: SRG-APP-000231-AS-000156, SRG-APP-000108-AS-000067, SRG-APP-000125-AS-000084, SRG-APP-000126-AS-000085, SRG-APP-000181-AS-000255, SRG-APP-000290-AS-000174, SRG-APP-000358-AS-000064, SRG-APP-000360-AS-000066, SRG-APP-000515-AS-000203, SRG-APP-000795-AS-000130","checkContent":"Verify SIEM.\n\n1. On the host server, for each of the ColdFusion instances installed, verify /etc/rsyslog.d/101-<instance name>.conf exists and contains the following contents: \n\nmodule(load=\"imfile\" PollingInterval=\"10\") \n\ninput(type=\"imfile\"\n      File=\"<CF install path>/<instance name>/logs/coldfusion-out.log\"\n      Tag=\"coldfusion-out\"\n      Facility=\"<instance name>\")\n\ninput(type=\"imfile\"\n      File=\"<CF install path>/<instance name>/logs/coldfusion-error.log\"\n      Tag=\"coldfusion-error\"\n      Facility=\"<instance name>\")\n\ninput(type=\"imfile\"\n      File=\"<CF install path>/<instance name>/logs/cfpm-audit.log\"\n      Tag=\"cfpm-audit\"\n      Facility=\"<instance name>\")\n\ninput(type=\"imfile\"\n      File=\"<CF install path>/<instance name>/logs/audit.log\"\n      Tag=\"audit\"\n      Facility=\"<instance name>\")\n\ninput(type=\"imfile\"\n      File=\"<CF install path>/<instance name>/logs/http.log\"\n      Tag=\"http\"\n      Facility=\"<instance name>\")\n\ninput(type=\"imfile\"\n      File=\"<CF install path>/<instance name>/logs/mail.log\"\n      Tag=\"mail\"\n      Facility=\"<instance name>\")\n\ninput(type=\"imfile\"\n      File=\"<CF install path>/<instance name>/logs/monitor.log\"\n      Tag=\"monitor\"\n      Facility=\"<instance name>\")\n\ninput(type=\"imfile\"\n      File=\"<CF install path>/<instance name>/logs/server.log\"\n      Tag=\"server\"\n      Facility=\"<instance name>\")\n  \ninput(type=\"imfile\"\n      File=\"<CF install path>/<instance name>/logs/usagedata.log\"\n      Tag=\"usagedata\"\n      Facility=\"<instance name>\")\n  \ninput(type=\"imfile\"\n      File=\"<CF install path>/<instance name>/logs/update.log\"\n      Tag=\"update\"\n      Facility=\"<instance name>\")\n  \ninput(type=\"imfile\"\n      File=\"<CF install path>/<instance name>/logs/application.log\"\n      Tag=\"application\"\n      Facility=\"<instance name>\")\n  \ninput(type=\"imfile\"\n      File=\"<CF install path>/<instance name>/logs/exception.log\"\n      Tag=\"exception\"\n      Facility=\"<instance name>\")\n  \ninput(type=\"imfile\"\n      File=\"<CF install path>/<instance name>/logs/reporting.log\"\n      Tag=\"reporting\"\n      Facility=\"<instance name>\")\n  \ninput(type=\"imfile\"\n      File=\"<CF install path>/<instance name>/logs/axis2.log\"\n      Tag=\"axis2\"\n      Facility=\"<instance name>\")\n  \ninput(type=\"imfile\"\n      File=\"<CF install path>/<instance name>/logs/eventgateway.log\"\n      Tag=\"eventgateway\"\n      Facility=\"<instance name>\")\n  \ninput(type=\"imfile\"\n      File=\"<CF install path>/<instance name>/logs/license.log\"\n      Tag=\"license\"\n      Facility=\"<instance name>\")\n  \ninput(type=\"imfile\"\n      File=\"<CF install path>/<instance name>/logs/security.log\"\n      Tag=\"security\"\n      Facility=\"<instance name>\")\n  \ninput(type=\"imfile\"\n      File=\"<CF install path>/<instance name>/logs/webservice.log\"\n      Tag=\"webservice\"\n      Facility=\"<instance name>\")   \n\nIf the file contents do not monitor all logs in <CF install path>/<instance name>/logs, this is a finding. \n\n2. Inspect /etc/rsyslog.conf or the files in /etc/rsyslog.d/.\n\nIf there is no forwarding action with type=\"omfwd\", the rsyslog destination is not configured to send logs to a valid syslog server and this is a finding.\n\nFor additional information, refer to https://www.rsyslog.com/sending-messages-to-a-remote-syslog-server/.","fixText":"Configure SIEM.\n\n1. Create /etc/rsyslog.d/101-<instance name>.conf for each of the configured ColdFusion instances with these contents, ensuring the final line points to a valid syslog server.\n\nExample:\nmodule(load=\"imfile\" PollingInterval=\"10\") \ncat > /etc/rsyslog.d/101-cfusion.conf << EOF\n\nmodule(load=\"imfile\" PollingInterval=\"10\")\n\ninput(type=\"imfile\"\n      File=\"/opt/coldfusion2023/cfusion/logs/coldfusion-out.log\"\n      Tag=\"coldfusion-out\"\n      Facility=\"cfusion\")\n\ninput(type=\"imfile\"\n      File=\"/opt/coldfusion2023/cfusion/logs/coldfusion-error.log\"\n      Tag=\"coldfusion-error\"\n      Facility=\"cfusion\")\n\ninput(type=\"imfile\"\n      File=\"/opt/coldfusion2023/cfusion/logs/cfpm-audit.log\"\n      Tag=\"cfpm-audit\"\n      Facility=\"cfusion\")\n\ninput(type=\"imfile\"\n      File=\"/opt/coldfusion2023/cfusion/logs/audit.log\"\n      Tag=\"audit\"\n      Facility=\"cfusion\")\n\ninput(type=\"imfile\"\n      File=\"/opt/coldfusion2023/cfusion/logs/http.log\"\n      Tag=\"http\"\n      Facility=\"cfusion\")\n\ninput(type=\"imfile\"\n      File=\"/opt/coldfusion2023/cfusion/logs/mail.log\"\n      Tag=\"mail\"\n      Facility=\"cfusion\")\n\ninput(type=\"imfile\"\n      File=\"/opt/coldfusion2023/cfusion/logs/monitor.log\"\n      Tag=\"monitor\"\n      Facility=\"cfusion\")\n\ninput(type=\"imfile\"\n      File=\"/opt/coldfusion2023/cfusion/logs/server.log\"\n      Tag=\"server\"\n      Facility=\"cfusion\")\n\ninput(type=\"imfile\"\n      File=\"/opt/coldfusion2023/cfusion/logs/usagedata.log\"\n      Tag=\"usagedata\"\n      Facility=\"cfusion\")      \n\ninput(type=\"imfile\"\n      File=\"/opt/coldfusion2023/cfusion/logs/update.log\"\n      Tag=\"update\"\n      Facility=\"cfusion\")      \n\ninput(type=\"imfile\"\n      File=\"/opt/coldfusion2023/cfusion/logs/application.log\"\n      Tag=\"application\"\n      Facility=\"cfusion\")      \n\ninput(type=\"imfile\"\n      File=\"/opt/coldfusion2023/cfusion/logs/exception.log\"\n      Tag=\"exception\"\n      Facility=\"cfusion\")      \n\ninput(type=\"imfile\"\n      File=\"/opt/coldfusion2023/cfusion/logs/reporting.log\"\n      Tag=\"reporting\"\n      Facility=\"cfusion\")\n\ninput(type=\"imfile\"\n      File=\"/opt/coldfusion2023/cfusion/logs/axis2.log\"\n      Tag=\"axis2\"\n      Facility=\"cfusion\")      \n\ninput(type=\"imfile\"\n      File=\"/opt/coldfusion2023/cfusion/logs/eventgateway.log\"\n      Tag=\"eventgateway\"\n      Facility=\"cfusion\")      \n\ninput(type=\"imfile\"\n      File=\"/opt/coldfusion2023/cfusion/logs/license.log\"\n      Tag=\"license\"\n      Facility=\"cfusion\")      \n\ninput(type=\"imfile\"\n      File=\"/opt/coldfusion2023/cfusion/logs/security.log\"\n      Tag=\"security\"\n      Facility=\"cfusion\")\n      \ninput(type=\"imfile\"\n      File=\"/opt/coldfusion2023/cfusion/logs/webservice.log\"\n      Tag=\"webservice\"\n      Facility=\"cfusion\") \n\n2. Add the following to /etc/rsyslog.conf:\n*.* action(type=\"omfwd\" target=\"<remote rsyslog IP address>\" port=\"10514\" protocol=\"tcp\")\n\n3. Restart rsyslog to apply changes: sudo systemctl restart rsyslog.","ccis":["CCI-001199","CCI-000139","CCI-001348","CCI-001350","CCI-001876","CCI-001496","CCI-001851","CCI-001858","CCI-003831"]},{"vulnId":"V-279071","ruleId":"SV-279071r1171608_rule","severity":"medium","ruleTitle":"ColdFusion must have the Tomcat DefaultServlet debug parameter disabled.","description":"Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages must be carefully considered by the organization and development team.\n\nThe release of Tomcat that comes with ColdFusion can be configured to output Tomcat-specific debug messages. If left enabled, these settings can expose sensitive data within error and log messages.","checkContent":"Review the debug parameter for the DefaultServlet and verify it is disabled.\n\n1. Locate the web.xml file for each ColdFusion instance located at:\n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\\web.xml\n\n2. Open the web.xml file in a text editor.\n\n3. Search for the following servlet definition:\n\n<servlet>\n  <servlet-name>default</servlet-name>\n  <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>\n\n4. Within this block, locate the <init-param> with the <param-name>debug</param-name> element.\n\n5. Verify the corresponding <param-value> is set to 0. For example:\n<init-param>\n  <param-name>debug</param-name>\n  <param-value>0</param-value>\n</init-param>\n\nIf the debug parameter is set to any value other than 0, or is not explicitly defined, this is a finding.","fixText":"Configure DefaultServlet to disable debug output.\n\n1. Open the web.xml file located at:\n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\\web.xml\n\n2. Locate the DefaultServlet definition and ensure the debug parameter is set as follows:\n\n<init-param>\n  <param-name>debug</param-name>\n  <param-value>0</param-value>\n</init-param>\n\n3. Save the changes and restart ColdFusion to apply the configuration.","ccis":["CCI-001312"]},{"vulnId":"V-279072","ruleId":"SV-279072r1170990_rule","severity":"medium","ruleTitle":"The ColdFusion error messages must be restricted to only authorized users.","description":"If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nApplication servers must protect the error messages that are created by ColdFusion. All application server users' accounts are used for the management of the server and the applications residing on ColdFusion. All accounts are assigned to a certain role with corresponding access rights. ColdFusion must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. ColdFusion will usually create new log files as needed and must take steps to ensure that the proper file permissions are used when the log files are created.\n\nSatisfies: SRG-APP-000267-AS-000170, SRG-APP-000033-AS-000024, SRG-APP-000090-AS-000051, SRG-APP-000315-AS-000094, SRG-APP-000516-AS-000237","checkContent":"Verify User Roles and Services.\n\n1. From the Admin Console Landing Screen, navigate to Security >> User Manager.\n\n2. Review the roles assigned to each user against the information system security manager (ISSM)-approved list of user accounts and roles to determine if any user has excessive authorization.\n\nIf users exist that are not approved by the ISSM, this is a finding.\n\nIf any user has roles assigned that are not approved by the ISSM, this is a finding.\n\n3. Review each defined user and ask the system administrator (SA) if the user must have access the following roles:\n- Debugging and Logging >>Logging.\n- Data & Services >> Data Sources.\n- Server Settings.\n\nIf any users have any of these roles that should not, this is a finding.\n\n4. Review each defined user by using the Edit function. For each user that has values for \"Allowed Services\", validate with the SA that the user must have remote access to each service.\n\nIf there are any users with services that are not required to perform the users' duties, this is a finding.","fixText":"Configure User Roles and Services.\n\n1. From the Admin Console Landing Screen, navigate to Security >> User Manager.\n\n2. Remove any user not approved by the information system security officer (ISSO)/ISSM.\n\n3. Enable only those roles for each user approved by the ISSO/ISSM.\n\n4. Remove the following roles from each user that should not have access to them:\n- Debugging and Logging >>Logging.\n- Data & Services >> Data Sources.\n- Server Settings.\n\n5. Only assign services to those users who require access and only assign those services that are required to perform the user's duties.","ccis":["CCI-001314","CCI-000213","CCI-000171","CCI-002314","CCI-000366"]},{"vulnId":"V-279073","ruleId":"SV-279073r1171560_rule","severity":"medium","ruleTitle":"ColdFusion must set a maximum session timeout value.","description":"An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process.\n\nTo thwart the vulnerability of open and unused user sessions, ColdFusion must be configured to close the sessions when a configured condition or trigger event is met. Such an event is user inactivity. ColdFusion offers an inactivity parameter that allows the setting systemwide for session timeout. ColdFusion also allows a developer to override the default timeout setting and set a new timeout. A maximum setting is provided to control how large a developer can set the timeout.","checkContent":"Validate the Session Variable Timeout configuration.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables.\n\n2. Under the \"Maximum Timeout\" section, locate the setting for \"Session Variables\".\n\nIf the timeout value for Session Variables is set to greater than 1 hour, this is a finding.","fixText":"Configure the Session Variable Timeout configuration.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables.\n\n2. Under the \"Maximum Timeout\" section, locate the setting for \"Session Variables\".\n\n3. Set the \"Session Variables\" to \"1\" hour or fewer.\n\n4. Select \"Submit Changes\".","ccis":["CCI-002385"]},{"vulnId":"V-279074","ruleId":"SV-279074r1171609_rule","severity":"medium","ruleTitle":"ColdFusion must control remote access to the Administrator Console.","description":"Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by logging connection activities of remote users.\n\nBy default, localhost and all IP addresses can access the Administrator Console. Depending on the authentication method (i.e., single password, separate username and password per user, or no authentication needed), any user from any network can access the console and make changes to the server configuration relying only on the authentication method configured for the installation. By limiting the IP addresses that can connect, the administration console can be hosted to a management network and only accessed via that network, further reducing the exposure of the Administrator Console.","checkContent":"Verify Allowed IP Addresses for Console.\n\nFrom the Admin Console Landing Screen, navigate to Security >> Allowed IP Addresses.\n\nIf the list of allowed IP addresses is blank (NULL), is set to a wildcard value, or contains IP addresses/subnets that should not have access, this is a finding.","fixText":"Configure Allowed IP Addresses for Console.\n\n1. From the Admin Console Landing Screen, navigate to Security >> Allowed IP Addresses.\n\n2. Add allowed IP addresses for accessing ColdFusion Administrator and ColdFusion Internal Directories (only IP addresses or subnets that should be capable of reaching the Administrator Console).\n\n3. Remove any IP addresses that are blank (NULL) or set to a wildcard value.","ccis":["CCI-002314"]},{"vulnId":"V-279075","ruleId":"SV-279075r1171564_rule","severity":"high","ruleTitle":"ColdFusion must control remote access to Exposed Services.","description":"ColdFusion exposes many existing services as web services. These services, such as cfpdf, cfmail, and cfpop, can be accessed by users and applications written in other languages and technologies than ColdFusion CFML. To invoke the services, the client must be on the allowed IP list and have a user account with the proper privileges to the exposed services. Exposing these services expands the security risk and potential for compromise of the ColdFusion application server. If a need arises for these services, the list of allowed IP addresses must be specified and limited to only those requiring access.\n\nSatisfies: SRG-APP-000315-AS-000094, SRG-APP-000516-AS-000237","checkContent":"Verify Allowed IP Addresses for Exposed Services.\n\n1. From the Admin Console Landing Screen, navigate to Security >> Allowed IP Addresses.\n\n2. If there are any entries in the \"Allowed IP Addresses for Exposed Services\" section, validate with the system administrator (SA) that the IP addresses and subnets specified require access.\n\nIf an unauthorized Subnets/IP address or wildcard value is present, this is a finding.","fixText":"Configure Allowed IP Addresses for Exposed Services.\n\n1. From the Admin Console Landing Screen, navigate to Security >> Allowed IP Addresses. Only those IP addresses or subnets that have access to Exposed Services must be listed.\n\n2. Remove any IP addresses that are blank (NULL) or set to a wildcard value.","ccis":["CCI-002314","CCI-000366"]},{"vulnId":"V-279076","ruleId":"SV-279076r1172835_rule","severity":"low","ruleTitle":"ColdFusion must allocate log record storage capacity.","description":"Proper management of log records not only dictates proper archiving processes and procedures be established, but it also requires allocating enough storage space to maintain the logs online for a defined period of time.\n\nIf adequate online log storage capacity is not maintained, intrusion monitoring, security investigations, and forensic analysis can be negatively affected.\n\nIt is important to keep a defined amount of logs online and readily available for investigative purposes. The logs may be stored on ColdFusion until they can be archived to a log system or, in some instances, a Storage Area Network (SAN). Regardless of the method used, log record storage capacity must be sufficient to store log data when the data cannot be off-loaded to a log system or a SAN.\n\nColdFusion handles logs by allowing the administrator to specify a log file size and how many archives to keep online. This allows the administrator to correctly size the storage needed to meet the requirements of the organization for how log audit files should be available online and configure the storage needed to meet the requirement before off-loading archives to offline storage.","checkContent":"Review the ColdFusion log configuration to verify sufficient storage is allocated for log records and that log data will not exceed available space.\n\n1. From the ColdFusion Admin Console landing screen, navigate to Debugging & Logging >> Logging Settings.\n\n2. Locate the following settings:\n- Log directory: Note the location where logs are written.\n- Maximum number of archives: Note the value configured.\n- Maximum file size (in kilobytes): Note the value configured.\n\n3. Next, navigate to Debugging & Logging >> Log Files.\n\n4. Count the number of log files currently present.\n\n5. Calculate the total potential storage consumption using the following formula:\n(Maximum number of archives) × (Maximum file size in KB) × (Number of log files)\n\n6. Compare this value to the total available space on the storage volume where the log directory resides.\n\nIf the calculated potential log storage exceeds the available storage for the log directory, this is a finding.","fixText":"Configure ColdFusion to allocate log record storage capacity that does not exceed the available space on the log directory's storage volume.\n\n1. From the ColdFusion Admin Console landing screen, navigate to Debugging & Logging >> Logging Settings.\n\n2. Review and adjust the following settings:\n- Maximum number of archives.\n- Maximum file size (in kilobytes).\n\n3. Ensure the calculated total log storage remains within the available storage space of the log directory.\n\n4. Optionally, relocate the log directory to a volume with greater capacity if needed.\n\n5. Save changes and monitor log growth over time to verify compliance.","ccis":["CCI-001849"]},{"vulnId":"V-279077","ruleId":"SV-279077r1171570_rule","severity":"medium","ruleTitle":"ColdFusion must record time stamps for log records that can be mapped system time.","description":"Using a consistent time standard such as UTC or GMT for the internal clock of ColdFusion is crucial for maintaining accurate and reliable system logs. This consistency is essential for correlating events across different systems and networks, especially in environments where systems are geographically dispersed. If the internal clock is not set to a standard time, it can lead to discrepancies in log files, making it difficult to trace and investigate security incidents. Additionally, using a nonstandard time setting can complicate the synchronization of time-sensitive operations and affect the overall security posture of ColdFusion. Therefore, setting the internal clock to UTC or GMT helps ensure the integrity and reliability of system logs and enhances the ability to detect and respond to security events effectively.","checkContent":"Verify JVM Arguments for Time zone.\n\nFrom the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM.\n\nIf the JVM argument -\"Duser.timezone=<TIMEZONE>\" cannot be found , this is a finding.","fixText":"Configure JVM Arguments for Time zone.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM.\n\n2. Add the argument as:\n\"Duser.timezone=<TIMEZONE>\"\n(If the parameter is already defined, change the setting to \"<TIMEZONE>\".)\n\n3. Select \"Submit Changes\".","ccis":["CCI-001890"]},{"vulnId":"V-279078","ruleId":"SV-279078r1172827_rule","severity":"medium","ruleTitle":"For PKI-based authentication, ColdFusion must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.","description":"Ensuring that for PKI-based authentication, ColdFusion implements a local cache of revocation data is essential for maintaining the security and integrity of the authentication process. PKI relies on the ability to verify the validity of certificates, which includes checking for certificate revocation. If the system cannot access revocation information via the network, it may be unable to determine whether a certificate is still valid, potentially allowing the use of compromised or revoked certificates.\n\nBy implementing a local cache of revocation data, ColdFusion can support path discovery and validation even when network access to revocation information is unavailable. This practice helps ensure that the system can continue to verify the validity of certificates and maintain the security of the authentication process. It aligns with best security practices and helps prevent unauthorized access to sensitive information.","checkContent":"Verify ColdFusion is configured to support certificate revocation checking using locally cached Certificate Revocation Lists (CRLs).\n\n1. For each ColdFusion instance, navigate to: \n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\\server.xml.\n\n2. Open the server.xml file in a text editor.\n\n3. Identify all <Connector> elements that are configured for SSL. Within each <Connector>, check for an embedded <SSLHostConfig> element.\n\n4. Review the <SSLHostConfig> element for the presence of one of the following attributes:\ncertificateRevocationListFile\ncertificateRevocationListPath\n\n(These attributes specify the location of locally cached CRL files that will be used for certificate revocation checking.)\n\nIf no <SSLHostConfig> is present, or if neither certificateRevocationListFile nor certificateRevocationListPath is configured, this is a finding.","fixText":"Configure ColdFusion to use a locally cached CRL for certificate revocation checking.\n\n1. Open the server.xml file located at: <ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\\server.xml\n\n2. Locate each <Connector> element configured for SSL.\n\n3. Ensure an <SSLHostConfig> element is present and includes one of the following attributes:\ncertificateRevocationListFile=\"<path_to_crl_file>\"\ncertificateRevocationListPath=\"<path_to_crl_directory>\"\n\nExample:\n<SSLHostConfig>\n  <Certificate certificateKeystoreFile=\"...\" type=\"RSA\" />\n  <CertificateRevocation certificateRevocationListFile=\"/opt/cf/crl/mycrl.pem\" />\n</SSLHostConfig>\n\n4. Save the file and restart ColdFusion to apply the changes.","ccis":["CCI-001991"]},{"vulnId":"V-279079","ruleId":"SV-279079r1171576_rule","severity":"medium","ruleTitle":"ColdFusion must set Request Tuning configurations.","description":"To reduce the possibility or effect of a denial of service (DoS), ColdFusion must employ defined security safeguards. These safeguards will be determined by the placement of ColdFusion and the type of applications being hosted within ColdFusion framework.\n\nReport threads are used to process reports concurrently. Since reporting in most applications is a process that is not time sensitive or heavily used, this setting should be minimized to minimize resource use on ColdFusion and to minimize a method that could be used to exhaust resources by an attacker. Unless reporting is heavily used, the number of simultaneous report threads must be set to 1.","checkContent":"Verify Request Tuning Configurations.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning.\n\nIf \"Maximum number of simultaneous Report threads\" is not set to \"1\", this is a finding.\n\nIf the \"Maximum number of simultaneous Template requests\" is not set to the maximum number of requests (or 24, whichever is higher), this is a finding.\n\nIf \"Timeout requests waiting in queue after\" setting is higher than \"5\", this is a finding.\n\n2. Validate that \"Request Queue Timeout Page\" is set to a valid and custom page.\n\nIf \"Request Queue Timeout Page\" is blank or is set to \"/CFIDE/administrator/templates/request_timeout_error.cfm\", this is a finding.\n\n3. Validate the file exists. The path and file given are relevant to the web servers' document root directory and not the OS root directory. For example, if the web servers' document root is /opt/webserver/wwwroot and the \"Request Queue Timeout Page\" is set to /CFIDE/administrator/templates/timeout_error.cfm, the full path to the template file is /opt/webserver/wwwroot/CFIDE/administrator/templates/timeout_error.cfm.\n\nIf the \"Request Queue Timeout Page\" setting is not set to a valid page, this is a finding.","fixText":"Set Request Tuning Configurations.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning.\n\n2. Set \"Maximum number of simultaneous Report threads\" to \"1\".\n\n3. Set \"Maximum number of simultaneous Template requests\" to the appropriate amount or 24, whichever is higher.\n\n4. Set \"Timeout requests waiting in queue after\" to \"5\" or fewer.\n\n5. Set \"Request Queue Timeout Page\" to a custom and valid page.\n\n6. Select \"Submit Changes\".","ccis":["CCI-002385"]},{"vulnId":"V-279080","ruleId":"SV-279080r1171402_rule","severity":"medium","ruleTitle":"ColdFusion must limit the maximum number of threads available for CFTHREAD.","description":"Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, ColdFusion must employ defined security safeguards. These safeguards will be determined by the placement of ColdFusion and the type of applications being hosted within ColdFusion framework.\n\nThe CFTHREAD service allows a programmer to create threads of code that execute independently. If this feature is being used, the maximum number of threads should be tuned. If set too high, this may lead to a context-switching situation. When this feature is not in use, the maximum number of threads must be 1.","checkContent":"Verify that CFTHREAD settings are appropriately configured when threading is not used by hosted applications.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning.\n\n2. Confirm with the administrator whether any hosted applications are using CFTHREAD for multithreading.\n\nIf CFTHREAD is in use, this is not a finding.\n\n3. If CFTHREAD is not used, verify that \"Maximum number of threads available for CFTHREAD\" is set to \"1\" to effectively disable threading.\n\nIf CFTHREAD is not used, and the \"Maximum number of threads available for CFTHREAD\" is set to a value other than \"1\", this is a finding.","fixText":"Configure CFTHREAD settings.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning.\n\n2. Set Maximum number of threads available for CFTHREAD to \"1\" to disable unnecessary threading.\n\n3. Click \"Submit Changes\".","ccis":["CCI-002385"]},{"vulnId":"V-279081","ruleId":"SV-279081r1171481_rule","severity":"medium","ruleTitle":"ColdFusion must limit the maximum number of Web Service requests.","description":"Unrestricted web service request handling in ColdFusion can lead to resource exhaustion, degraded performance, or denial-of-service (DoS) conditions. Web services are common targets for automated attacks, excessive load, or abuse through scripted queries and recursive payloads. If there is no limit on the number of web service requests a ColdFusion server will process, an attacker may overwhelm system resources such as memory, CPU, or network bandwidth, leading to service disruption.\n\nLimiting the maximum number of allowable web service requests per session, per client, or per time interval helps enforce resource control, prevent abuse, and maintain application availability. It also ensures that ColdFusion can prioritize legitimate traffic and maintain performance under heavy load.\n\nApplying limits on web service request volume reduces the attack surface and aligns with secure coding practices by ensuring application functionality is intentionally constrained to support operational requirements without exposing the system to unnecessary risk.","checkContent":"Determine Web Services usage.\n\n1. Interview the system administrator (SA), and/or review any of the following documentation:\n- Hosted application source code.\n- Hosted application design documentation.\n- Published web services design documentation.\n- ColdFusion baseline documentation.\n\n2. Confirm whether Web Services are published by any hosted applications.\n\nIf Web Services are being published, this requirement is not a finding.\n\n3. If Web Services are not being published, from the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning.\n\n4. Locate the \"Maximum number of simultaneous Web Service requests\" setting and verify the value is set to \"1\".\n\nIf Web Services are not in use and the value is not set to \"1\", this is a finding.","fixText":"Configure Web Services usage.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning.\n\n2. Locate the \"Maximum number of simultaneous Web Service requests\" setting.\n\n3. Set the value to \"1\" to prevent unnecessary web service threads.\n\n4. Click \"Submit Changes\" to save the configuration.","ccis":["CCI-002385"]},{"vulnId":"V-279082","ruleId":"SV-279082r1171310_rule","severity":"medium","ruleTitle":"ColdFusion must limit the maximum number of ColdFusion Component (CFC) function requests.","description":"CFCs enable modular development by exposing functions that can be called locally or remotely. If the number of allowable CFC function requests is not limited, the application becomes vulnerable to abuse through excessive or malicious input. Attackers can exploit this by sending high volumes of CFC requests to exhaust server resources resulting in degraded performance or denial-of-service (DoS) conditions.\n\nUnrestricted access to CFC methods may also provide a path for attackers to probe the application for vulnerabilities, perform automated enumeration, or repeatedly invoke resource-intensive functions. This not only disrupts service availability but also increases the risk of lateral movement and further compromise within the application.\n\nEnforcing a limit on the number of allowable CFC function requests per session, per user, or per time period helps prevent resource exhaustion and supports predictable application behavior under load. If this feature is being used, the number of simultaneous requests should be tuned using load testing to find the optimal value for the setting. When the feature is not in use, the maximum number must be set to 1.","checkContent":"Determine whether CFC functions are being called directly over HTTP or HTTPS by any hosted application. This can be verified by interviewing the system administrator (SA); or reviewing application source code, design documentation, or ColdFusion baseline documentation.\n\nIf CFC requests are used by hosted applications, this is not a finding.\n\n1. If CFC requests are not used by hosted applications, from the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning.\n\n2. Verify \" Maximum number of simultaneous CFC function requests\" is set to \"1\".\n\nIf CFC requests are not used by hosted applications and the \"Maximum number of simultaneous CFC function requests\" is not set to \"1\", this is a finding.","fixText":"1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning.\n\n2. Set \"Maximum number of simultaneous CFC function requests\" to \"1\".\n\n3. Click \"Submit Changes\".","ccis":["CCI-002385"]},{"vulnId":"V-279083","ruleId":"SV-279083r1171449_rule","severity":"medium","ruleTitle":"ColdFusion must configure Data Sources to limit SQL command and configure timeout.","description":"Data sources configured within ColdFusion can be exploited if not properly restricted. Allowing unrestricted SQL commands increases the risk of unauthorized data manipulation, privilege escalation, or destructive operations. If a data source permits these types of commands without explicit need, an attacker who compromises the application could use it to alter the database schema, escalate access, or destroy critical data.\n\nFailing to enforce query timeout values allows poorly constructed or maliciously crafted SQL statements to consume excessive resources. Long-running queries can degrade database performance or cause denial-of-service (DoS) conditions, impacting application availability for legitimate users.\n\nLimiting SQL commands to only those required for application functionality, and enforcing strict query timeouts, ensures that ColdFusion applications operate within expected bounds, maintain system stability, and protect backend data resources. These controls help reduce the attack surface and enforce the principle of least privilege across the application's database interactions.\n\nSatisfies: SRG-APP-000435-AS-000163, SRG-APP-000172-AS-000120","checkContent":"Verify that all defined data sources are configured.\n\n1. From the Admin Console Landing Screen, navigate to Data & Services >> Data Sources.\n\n2. Determine if any data sources are defined. \n\nIf no data sources are defined, this is not a finding.\n\n3. For each Connected Data Source, edit the data source by clicking \"Show Advanced Settings\" to display all configuration options.\n\n4. Check whether the data source provides an option to specify a query timeout. \n\nIf the query timeout setting is not available, this is not a finding.\n\n5. If the query timeout setting is available, verify that the value is not set to \"0\", which indicates no timeout.\n\nIf any data source has a query timeout configured with a value of \"0\", this is a finding.\n\n6. Review \"Login Timeout (sec)\". \n\nIf there are any data sources with a \"Login Timeout (sec)\" set higher than 5, this is a finding.\n\nIf any of the data sources have CREATE, GRANT, DROP, REVOKE or ALTER checked, this is a finding.","fixText":"Configure data sources.\n\n1. From the Admin Console Landing Screen, navigate to Data & Services >> Data Sources.\n\n2. For each data source, edit the data source configuration:\n\na. Click \"Show Advanced Settings\" to display all options.\n\nb. If the query timeout parameter is available, set the timeout value to a number greater than 0 to ensure queries do not run indefinitely.\n\nc. Set \"Login Timeout (sec)\" to less than 5.\n\nd. Uncheck the options allowing SQL commands:\nCREATE\nGRANT\nDROP\nREVOKE\nALTER\n\nd. Click \"Submit\" to save changes.","ccis":["CCI-002385","CCI-000197"]},{"vulnId":"V-279084","ruleId":"SV-279084r1171578_rule","severity":"medium","ruleTitle":"ColdFusion must not store user information in the server registry.","description":"Client variables in ColdFusion are used to persist user-specific information between requests and sessions. If the default storage mechanism for these client variables is set to the Windows registry, it introduces a number of security and performance risks. The Windows registry is not designed for high-frequency, dynamic data storage and lacks adequate security controls for storing sensitive session data. Storing client variables in the registry increases the risk of unauthorized access or data corruption, especially in environments where multiple services or users share access to the system.\n\nImproper configuration of the client variable purge interval can lead to excessive accumulation of stale data. If outdated session data is not purged in a timely manner it may result in degraded system performance, resource exhaustion, or inadvertent exposure of residual user data.\n\nEnsuring that client variables are stored in a more secure and scalable location (e.g., database or in-memory store) and that the purge interval is properly configured helps protect user data, improve system performance, and reduce the attack surface of the ColdFusion application environment.","checkContent":"Verify Client Variable Settings.\n\nFrom the Admin Console Landing Screen, navigate to Server Settings >> Client Variables.\n\nIf the default storage mechanism for client sessions is set to \"Registry\", this is a finding.\n\nIf the \"Purge Interval\" is not set to 1 hour and 7 minutes, this is a finding.","fixText":"Configure Client Variable settings. \n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Client Variables.\n\n2. Set the default storage mechanism for client sessions to any available mechanism other than the registry.\n\n3. Set \"Purge Interval\" to 1 hour and 7 minutes.\n\n4. Select \"Apply\".","ccis":["CCI-002385"]},{"vulnId":"V-279085","ruleId":"SV-279085r1171029_rule","severity":"medium","ruleTitle":"ColdFusion must limit the in-memory size of the virtual file system.","description":"Limiting the in-memory size of the virtual file system is essential to prevent resource exhaustion and potential denial-of-service (DoS) attacks. Without a limit, the virtual file system can consume excessive memory, leading to performance degradation or server crashes. By setting a maximum in-memory limit, the server can manage its resources more effectively, ensuring that it remains responsive and available to handle client requests efficiently.","checkContent":"Verify Memory Limit settings.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings.\n\n2. Interview the administrator to determine how much space if needed for the in-memory virtual file system.\n\nIf the \"Memory Limit for In-Memory Virtual File System\" is set to a number larger than required, this is a finding.","fixText":"Configure Memory Limit settings.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings.\n\n2. Set \"Memory Limit for In-Memory Virtual File System\" to the required amount.\n\n3. Select \"Submit Changes\".","ccis":["CCI-002385"]},{"vulnId":"V-279086","ruleId":"SV-279086r1171032_rule","severity":"medium","ruleTitle":"ColdFusion must limit the default maximum thread count for parallel functions.","description":"Setting a default maximum thread count for parallel functions is essential to prevent resource exhaustion and potential denial-of-service (DoS) attacks. Without a limit, parallel functions can spawn an excessive number of threads, consuming server resources and potentially leading to performance degradation or crashes. By configuring a maximum thread count, the server can manage its resources more effectively, ensuring that it remains responsive and available to handle client requests efficiently.","checkContent":"Verify Default Maximum Thread Count For Parallel Functions settings.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings.\n\n2. Interview the administrator to determine what the default maximum threads are required parallel functions.\n\nIf the \"Default Maximum Thread Count For Parallel Functions\" is set to a number larger than required, this is a finding.","fixText":"Configure Default Maximum Thread Count For Parallel Functions.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings.\n\n2. Set \"Default Maximum Thread Count For Parallel Functions\" to the required amount.\n\n3. Select \"Submit Changes\".","ccis":["CCI-002385"]},{"vulnId":"V-279087","ruleId":"SV-279087r1171035_rule","severity":"medium","ruleTitle":"ColdFusion must limit the maximum post data size.","description":"Limiting the maximum post data size is essential to prevent resource exhaustion and potential denial-of-service (DoS) attacks. Without a limit, excessively large post data can consume server resources, leading to performance degradation or crashes. By setting a maximum post data size, the server can manage its resources more effectively, ensuring that it remains responsive and available to handle client requests efficiently.","checkContent":"Verify Default Maximum size of post data settings.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings.\n\n2. Interview the administrator to determine what the maximum post data size is required for the hosted applications.\n\nIf the \"Maximum size of post data\" is set to a number larger than required, this is a finding.","fixText":"Configure Maximum size of post data settings.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings.\n\n2. Set \"Maximum size of post data settings\" to the required amount.\n\n3. Select \"Submit Changes\".","ccis":["CCI-002385"]},{"vulnId":"V-279088","ruleId":"SV-279088r1171038_rule","severity":"medium","ruleTitle":"ColdFusion must limit the request throttle memory.","description":"Limiting the request throttle memory is essential to prevent resource exhaustion and potential denial-of-service (DoS) attacks. Without a limit, an excessive number of large requests can overwhelm the server, consuming memory and other resources, leading to performance degradation or crashes. Any requests made above the throttle threshold are considered throttled and cumulatively their total request size cannot be above the throttle memory setting. Any throttled requests made while insufficient throttle memory remaining will be queued. Any requests larger than the throttle memory will be rejected. By setting a request throttle memory limit, the server can manage its resources more effectively, ensuring that it remains responsive and available to handle client requests efficiently.","checkContent":"Verify Request Throttle Memory settings.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings.\n\n2. Interview the administrator to determine what the maximum post data size is required for the hosted applications.\n\nIf the \"Request Throttle Memory\" is not set to a 10 to 25 times multiple of the larger of \"Request Throttle Threshold\" or the maximum request size, this is a finding.","fixText":"Configure Maximum Request Throttle Memory settings.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings.\n\n2. Set \"Request Throttle Memory\" to the required amount.\n\n3. Select \"Submit Changes\".","ccis":["CCI-002385"]},{"vulnId":"V-279089","ruleId":"SV-279089r1171580_rule","severity":"medium","ruleTitle":"ColdFusion must set an organization defined maximum number of cached templates.","description":"Setting an appropriate maximum number of cached templates is crucial to balance server performance and resource usage. If the limit is set too low, it can lead to frequent cache misses, causing the server to regenerate templates more often, which can degrade performance. Conversely, if the limit is set too high, it can consume excessive memory, leading to resource exhaustion and potential denial-of-service (DoS) attacks. By configuring a balanced limit, the server can efficiently manage cached templates, ensuring optimal performance and availability.\n\nSatisfies: SRG-APP-000435-AS-000163, SRG-APP-000516-AS-000237","checkContent":"Verify Caching settings.\n\nFrom the Admin Console Landing Screen, navigate to Server Settings >> Caching.\n\nIf the \"Maximum number of cached templates\" is not set to a number between 256 and 4096, this is a finding.\n\nIf the trusted cache is not enabled, this is a finding.","fixText":"Configure Caching settings.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Caching.\n\n2. Set \"Maximum number of cached templates\" to a number between 256 and 4096.\n\n3. Check the checkbox for \"Trusted Cache\".\n\n4. Select \"Submit Changes\".","ccis":["CCI-002385","CCI-000366"]},{"vulnId":"V-279090","ruleId":"SV-279090r1171582_rule","severity":"medium","ruleTitle":"ColdFusion must set an organization defined maximum JVM heap size.","description":"Setting an appropriate maximum JVM heap size is crucial to balance server performance and resource usage. If the heap size is set too low, it can lead to frequent garbage collection, which can degrade performance. Conversely, if the heap size is set too high, it can consume excessive memory, leading to resource exhaustion and potential denial-of-service (DoS) attacks. By configuring a balanced maximum JVM heap size, the server can efficiently manage memory, ensuring optimal performance and availability.","checkContent":"Verify JVM Arguments heap size.\n\nFrom the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM.\n\nIf the \"Maximum JVM Heap Size (in MB)\" is not set to the required amount, this is a finding.","fixText":"Configure JVM Arguments heap size.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM.\n\n2. Set \"Maximum JVM Heap Size (in MB)\" to the appropriate amount.\n\n3. Select \"Submit Changes\".","ccis":["CCI-002385"]},{"vulnId":"V-279091","ruleId":"SV-279091r1171452_rule","severity":"medium","ruleTitle":"ColdFusion must set a nonzero timeout for web services.","description":"Setting a nonzero timeout for web services is crucial to prevent indefinite waiting periods that can lead to resource exhaustion and potential denial-of-service (DoS) attacks. Without a timeout, web services may hang indefinitely, consuming server resources and potentially causing ColdFusion to become unresponsive. By configuring a nonzero timeout, the server can terminate stalled web service requests, ensuring that resources are freed up and the server remains available to handle new requests efficiently.","checkContent":"Verify web services timeout.\n\n1. From the Admin Console Landing Screen, navigate to Data & Services >> Web Services.\n\n2. For each Active ColdFusion Web Services:\n\na. Click \"Edit\".\n\nb. Review the \"Timeout\" for each of the \"Active ColdFusion Web Services\" entries. \n\nIf any of the timeout values are set to 0, this is a finding.","fixText":"Configure web services timeout. \n\n1. From the Admin Console Landing Screen, navigate to Data & Services >> Web Services.\n\n2. For each Active ColdFusion Web Services:\n\na. Click \"Edit\".\n\nb. Set the \"Timeout\" setting to a duration appropriate for the service.\n\nc. Select \"Update Web Service\".","ccis":["CCI-002385"]},{"vulnId":"V-279092","ruleId":"SV-279092r1171584_rule","severity":"high","ruleTitle":"JVM Arguments must be configured for Transport Layer Security (TLS) 1.2 or higher.","description":"Preventing the disclosure of transmitted information requires that ColdFusion take measures to employ some form of cryptographic mechanism to protect the information during transmission. This is usually achieved TLS.\n\nTLS must be enabled, and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.\n\nColdFusion uses JVM to control the encryption of transmitted data. Settings for JVM can be controlled within the Administrator Console to configure the JVM to only use FIPS 140-2/140-3 or higher approved TLS and disable non-FIPS SSL versions.","checkContent":"Verify JVM Arguments for TLS.\n\nFrom the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM.\n\nThe parameter -Dhttps.protocols is used to set the TLS versions. Valid values for this setting must be TLS versions 1.2 or higher. \n\nExample: Dhttps.protocols=TLSv1.2,TLSv1.3 \n\nIf the \"JVM arguments\" setting does not contain the parameter \"Dhttps.protocols\" or if the parameter \"Dhttps.protocols\" contains any unapproved protocols or versions, this is a finding.","fixText":"Configure JVM Arguments for TLS.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM.\n\n2. In Section JVM Arguments, add the parameter \"-Dhttps.protocols\" and set the parameter to the TLS versions to be used. \n\nExample: Dhttps.protocols=TLSv1.2,TLSv1.3 \n\n3. Select \"Submit Changes\".\n\n4. Restart ColdFusion for the changes take effect.","ccis":["CCI-002418"]},{"vulnId":"V-279093","ruleId":"SV-279093r1171053_rule","severity":"high","ruleTitle":"ColdFusion must configure Lightweight Directory Access Protocol (LDAP) for Transport Layer Security (TLS).","description":"LDAP is commonly used for accessing and maintaining distributed directory information services. When LDAP authentication is performed without encryption, sensitive information such as usernames and passwords can be transmitted in clear text, making it vulnerable to interception and unauthorized access. By using TLS to secure LDAP authentication, the data transmitted between the client and the LDAP server is encrypted, ensuring the confidentiality and integrity of the authentication process. This practice helps protect against eavesdropping, man-in-the-middle attacks, and other security threats, thereby enhancing the overall security of the ColdFusion server and the applications it hosts. Regularly verifying and enforcing using TLS for LDAP authentication is essential for maintaining a secure server environment.","checkContent":"Verify LDAP is configured for TLS.\n\n1. From the Admin Console Landing Screen, navigate to Security >> Administrator.\n\n2. Click \"Edit LDAP Configuration\".\n\nIf \"SSL/TLS\" is not enabled, this is a finding.","fixText":"Configure LDAP for TLS.\n\n1. From the Admin Console Landing Screen, navigate to Security >> Administrator.\n\n2. Click \"Edit LDAP Configuration\".\n\n3. Enable the \"SSL/TLS\" setting.\n\n4. Select \"Save\".\n\n5. Select \"Submit Changes\".","ccis":["CCI-002418"]},{"vulnId":"V-279094","ruleId":"SV-279094r1171587_rule","severity":"high","ruleTitle":"ColdFusion must remove all export ciphers to protect the confidentiality and integrity of transmitted information.","description":"Export ciphers have weak encryption algorithms that were originally designed to comply with outdated export regulations. These ciphers provide minimal security and can be easily broken by attackers, leading to potential data breaches and unauthorized access. By removing all export ciphers from the supported cipher suites, the ColdFusion server ensures that only strong, secure encryption algorithms are used for data transmission. This practice helps protect sensitive information from being intercepted and compromised, thereby enhancing the overall security of the server and the applications it hosts. Regularly reviewing and updating the cipher suites to exclude weak ciphers is essential for maintaining a secure server environment.\n\nSatisfies: SRG-APP-000439-AS-000274, SRG-APP-000014-AS-000009, SRG-APP-000179-AS-000129, SRG-APP-000439-AS-000155","checkContent":"Cipher Validation in server.xml:\n\n1. For each ColdFusion instance, navigate to: \n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\\server.xml.\n\n2. Open the server.xml file in a text editor.\n\n3. Identify all <Connector> elements that are actively handling traffic (i.e., not solely configured to redirect to a secure port).\n\n4. Verify each <Connector> element includes either a ciphers attribute or an embedded <SSLHostConfig> element with a ciphers setting.\n\nIf the ciphers setting is not present, this is a finding.\n\n5. If the ciphers are present, compare them to the list of approved ciphers found in: NIST SP 800-52 Revision 2, Section 3.3.1.1.\n\nIf any unapproved or insecure ciphers are configured, this is a finding.\n\n6. Verify the protocols attribute is configured and using only approved secure protocols (e.g., TLS 1.2 or 1.3).\n\nIf the protocols attribute is not configured to use approved secure protocols (e.g., TLS 1.2 or 1.3), this is a finding.","fixText":"Secure Cipher and Protocol Configuration in server.xml:\n\n1. For each ColdFusion instance, navigate to: \n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\\server.xml.\n\n2. Before making changes, back up the file to prevent accidental misconfiguration.\n\n3. Open server.xml in a text editor with administrative privileges.\n\n4. Locate each <Connector> element that handles secure traffic (i.e., has SSLEnabled=\"true\" and is not just a redirect).\n\n5. If the <Connector> does not contain a ciphers attribute or an <SSLHostConfig> block with ciphers, add one.\n\n6. Specify only ciphers approved by NIST SP 800-52 Revision 2, Section 3.3.1.1.\n\nExample Configuration:\n<Connector port=\"8443\"\n           maxThreads=\"150\"\n           SSLEnabled=\"true\"\n           scheme=\"https\"\n           SSLEnabled=\"true\">\n    <SSLHostConfig protocols=\"TLSv1.2,TLSv1.3\"\n                   ciphers=\"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\n                            TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\n                            TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\n                            TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\">\n        <Certificate certificateKeystoreFile=\"conf/keystore.jks\"\n                     certificateKeystorePassword=\"<password>\"\n                     type=\"RSA\"/>\n    </SSLHostConfig>\n</Connector>\n\nNote: Replace the example cipher list with the exact approved list relevant to the system and policy.\n\n7. Ensure only secure protocols are used (TLS 1.2 or 1.3).\n\n8. Remove or disable any deprecated protocols such as SSLv3, TLS 1.0, or TLS 1.1.\n\n9. Save and close the file.\n\n10. Restart ColdFusion to apply changes.","ccis":["CCI-002418","CCI-000068","CCI-000803"]},{"vulnId":"V-279095","ruleId":"SV-279095r1171617_rule","severity":"high","ruleTitle":"JVM arguments must be configured to use approved cryptographic mechanisms to protect data in transit.","description":"ColdFusion uses the underlying JVM to handle transmission and receiving data, but ColdFusion does offer the programmer an encrypt API call to protect the data. This call can use multiple crypto methods but using FIPS 140-2/140-3 or higher is superior to those non-FIPS crypto methods to protect and detect changes to the data. Through JVM arguments set within ColdFusion, the programmer can be forced to use only FIPS crypto methods.","checkContent":"Verify JVM Arguments for Crypto.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM.\n\nIf the JVM argument contains \"-Dcoldfusion.enablefipscrypto=false\" or\n \"-Dcoldfusion.enablefipscrypto\" is missing, this is a finding.\n\n2. Observe the ColdFusion edition at the top of the Administrator Console. \n\nIf the edition is \"Standard\", this is a finding.","fixText":"Configure JVM Arguments for Crypto.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM.\n\n2. Amend JVM arguments with \"-Dcoldfusion.enablefipscrypto=true\".\n\n3. Click \"Submit Changes\".\n\n4. If not using Enterprise Edition or cryptographic mechanisms are not available, reinstall with Enterprise Edition.","ccis":["CCI-002421"]},{"vulnId":"V-279096","ruleId":"SV-279096r1171589_rule","severity":"medium","ruleTitle":"ColdFusion must encrypt patch retrieval.","description":"Checking for patches and downloading those patches for installation must be done through an encrypted connection to protect the patch from modification during transmission and to avoid spoofed updates.","checkContent":"Verify that patch retrieval is performed securely, whether automated or manual.\n\nIf the Administrator Console is not used to retrieve patches, proceed to Step 2.\n\n1. From the Admin Console Landing Screen, navigate to Package Manager >> Settings.\n\n2. Review the Site URL fields for Update Site and Packages Site. Verify that all URLs are prefixed with \"https://\".\n\nIf any URL is not prefixed with \"https://\", this is a finding.\n\n3. If patches are retrieved manually, verify there is documented guidance describing the process.\n\n4. Confirm the documented process requires using an encrypted method to download patches, such as VPN tunneling, Secure Copy (SCP), or equivalent secure protocols.\n\nIf no documented process exists, or if the process does not require an encrypted method, this is a finding.","fixText":"If the Administrator Console is used for patch retrieval:\n\n1. From the Admin Console Landing Screen, navigate to Package Manager >> Settings.\n\n2. Locate the Site URL fields for \"Update Site\" and \"Packages Site\".\n\n3. Update each URL to ensure it is prefixed with \"https://\" so communication is encrypted.\n\n4. Select \"Submit Changes\".\n\nIf a manual process is used to retrieve patches:\n\n1. Develop and maintain documented procedures describing the manual patch retrieval process.\n\n2. Ensure the process specifies using an encrypted method for downloading patches (e.g., VPN tunneling, SCP, or equivalent secure protocols).","ccis":["CCI-002421"]},{"vulnId":"V-279097","ruleId":"SV-279097r1171591_rule","severity":"medium","ruleTitle":"ColdFusion must ensure that ColdFusion Package Manager (cfpm) packages are transmitted using encrypted protocols.","description":"The cfpm is used to manage various packages and modules that extend the functionality of the ColdFusion server. If these packages are downloaded or transmitted over unencrypted channels, they are susceptible to interception and tampering by malicious actors. This can lead to the introduction of malicious code, unauthorized access, and other security breaches. By ensuring that cfpm packages are transmitted using encrypted protocols, such as HTTPS, the integrity and confidentiality of the packages are maintained. This practice helps protect the server from potential threats and ensures that only trusted and verified packages are installed.","checkContent":"Verify Package Manager Settings.\n\nFrom the Admin Console Landing Screen, navigate to Package Manager >> Settings.\n\nIf any Site URL is configured with an \"HTTP\" , this is a finding.","fixText":"Configure Package Manager Settings.\n\n1. From the Admin Console Landing Screen, navigate to Package Manager >> Settings.\n\n2. Enter an \"HTTPS\" entry into each of the Site URL fields.\n\n3. Select \"Submit Changes\".","ccis":["CCI-002421"]},{"vulnId":"V-279098","ruleId":"SV-279098r1172830_rule","severity":"medium","ruleTitle":"The ColdFusion administrator must be using HTTPS to maintain the confidentiality and integrity of information during reception.","description":"Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.\n\nColdFusion must use approved encryption when receiving transmitted data by configuring the Tomcat Connector to use HTTPS.","checkContent":"Verify HTTPS.\n\n1. Locate the server.xml file for each ColdFusion instance located at: <ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\\\n\n2. Open the server.xml file in a text editor.\n\n3. Locate all <Connector> elements configured with an HTTP protocol (e.g., protocol=\"org.apache.coyote.http11.Http11Protocol\" or Http11NioProtocol).\n\nIf any HTTP connector exists without SSLEnabled=\"true\" and is not commented out (<!-- ... -->), this is a finding.\n\nIf there is no active (uncommented) <Connector> configured with SSLEnabled=\"true\", scheme=\"https\", and secure=\"true\", this is a finding.","fixText":"Configure ColdFusion to use HTTPS and disable unsecured HTTP access.\n\n1. Locate the server.xml file for each ColdFusion instance located at: <ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\\\n\n2. Open the server.xml file in a text editor.\n\n3. Locate all <Connector> elements using the HTTP protocol (e.g., protocol=\"org.apache.coyote.http11.Http11Protocol\" or Http11NioProtocol) without the attribute SSLEnabled=\"true\"\n\n4. Either delete these unsecured <Connector> tags or comment them out using XML syntax:\n\n<!-- <Connector port=\"8500\" protocol=\"org.apache.coyote.http11.Http11Protocol\" ... /> -->\n\n5. Locate a <Connector> tag that includes SSLEnabled=\"true\" and is configured to support HTTPS communication.\n\n6. If this tag is present but commented out, uncomment it by removing the <!-- and --> markers.\n\n7. If a secure HTTPS connector does not exist, create a new <Connector> tag within the <Service> element of the server.xml file. It should include the following attributes:\n\n<Connector port=\"8443\" protocol=\"org.apache.coyote.http11.Http11NioProtocol\"\n           maxThreads=\"150\" SSLEnabled=\"true\" scheme=\"https\" secure=\"true\"\n           clientAuth=\"false\" keystoreFile=\"/path/to/keystore\" keystorePass=\"changeit\"/>\n\n8. Replace /path/to/keystore with the actual path to the keystore file. \n\n9. Replace \"changeit\" with the actual password for the keystore.\n\n10. Save the file and restart ColdFusion for the changes to take effect.","ccis":["CCI-002422"]},{"vulnId":"V-279099","ruleId":"SV-279099r1172837_rule","severity":"medium","ruleTitle":"ColdFusion Backup Directory must be deleted.","description":"Installation of patches and updates is performed when there are errors or security vulnerabilities in the current release of the software. When previous versions of software components are not removed from ColdFusion after updates have been installed, an attacker may use the older components to exploit the system.\n\nColdFusion creates a backup directory for an update when installed. This backup directory allows the system administrator (SA) to uninstall the update if an error occurs or incompatibility is found with the hosted applications. Once the update is tested and found to work correctly, the backup directory must be removed so that the update cannot be uninstalled.","checkContent":"Verify Update Backup Directory has been deleted.\n\nNavigate to C:\\ColdFusion2023\\cfusion\\hf-updates.\n\nIf any backup directories exist in the \"hf-updates\" folder, this is a finding.\n\nNote: Do not remove the backup directory for an update until the update has been tested and verified that the ColdFusion server is operating correctly.","fixText":"Remove Update Backups.\n\n1. Navigate to C:\\ColdFusion2023\\cfusion\\hf-updates.\n\n2. Remove any backups from hf-updates.","ccis":["CCI-002617"]},{"vulnId":"V-279100","ruleId":"SV-279100r1171595_rule","severity":"medium","ruleTitle":"ColdFusion must be set to automatically check for updates.","description":"Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. To configure the software to discover that a new patch is available is important since administrators may be responsible for multiple servers running different applications and services, making it difficult for the administrator to constantly check for updates. Enabling the automatic check informs the administrator, allows him to investigate the patch and what is needed to apply the patch and schedule any outages that might be needed, thereby permitting the patch to be installed quickly and efficiently.","checkContent":"Verify the ColdFusion server is configured to check for updates, either automatically or through a documented manual process.\n\n1. Confirm whether the ColdFusion server has access to either the Adobe patch repository or an internally maintained patch repository. This can be verified by interviewing the system administrator (SA) or reviewing ColdFusion baseline documentation.\n\n2. If the server has access to a patch repository, from the Admin Console Landing Screen, navigate to Package Manager >> Settings.\n\n3. Verify \"Automatically Check for Updates\" is enabled (checked).\n\nIf the server has access to a patch repository and \"Automatically Check for Updates\" is not enabled, this is a finding.\n\n4. If the server does not have access to a patch repository, confirm that a documented manual process exists for checking and retrieving updates. The documented process must specify where to obtain updates, and how often updates are to be checked.\n\nIf no documented process exists, or if the process does not include both location and frequency, this is a finding.","fixText":"Configure ColdFusion to check for updates.\n\n1. If the ColdFusion server has access to a patch repository:\n\na. From the Admin Console Landing Screen, navigate to Package Manager >> Settings.\n\nb. Enable the \"Automatically Check for Updates\" option by checking the box.\n\nc. Save the configuration.\n\n2. If the ColdFusion server does not have access to a patch repository:\n\na. Develop and maintain documented procedures describing the manual update process.\n\nb. Ensure the documentation includes the location where patches and updates will be obtained (e.g., Adobe website, internal repository) and the frequency with which updates will be checked (e.g., weekly, monthly).","ccis":["CCI-002605"]},{"vulnId":"V-279101","ruleId":"SV-279101r1171077_rule","severity":"medium","ruleTitle":"ColdFusion must have notifications enabled when a server update is available.","description":"Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. To configure the software to discover that a new patch is available is important since administrators may be responsible for multiple servers running different applications and services, making it difficult for the administrator to constantly check for updates. Enabling the automatic check informs the administrator, allows him to investigate the patch and what is needed to apply the patch and schedule any outages that might be needed, thereby permitting the patch to be installed quickly and efficiently.\n\nHaving \"Check for updates every\" checked causes ColdFusion to look for updates every set number of days. Entering a list of email addresses to notify guarantees a notification is sent to the administrator.","checkContent":"Verify that the ColdFusion server is configured to notify administrators when updates are available, either automatically or through a documented manual process.\n\n1. Confirm whether the ColdFusion server has access to either the Adobe patch repository or an internally maintained patch repository. This can be verified by interviewing the system administrator or reviewing ColdFusion baseline documentation.\n\n2. If the server has access to a patch repository, from the Admin Console Landing Screen, navigate to Package Manager >> Settings.\n\n3. Verify the following settings:\n- \"Check for updates every\" is enabled (checked).\n- A positive integer value (1 or greater) is entered for days.\n- At least one valid email address is entered in \"If updates are available, send email notification to\" field.\n\nIf any of these conditions are not met, this is a finding.\n\n4. If the server does NOT have access to a patch repository, verify that a documented notification process exists describing how administrators are informed of available patches. Administrators are enrolled in the Adobe automated patch notification service.\n\n5. To confirm enrollment, request a verification email or a recent patch notification email from Adobe.\n\nIf no documented notification process exists, or administrators are not enrolled in Adobe's notification service, this is a finding.","fixText":"If the ColdFusion server has access to a patch repository:\n\n1. From the Admin Console Landing Screen, navigate to Package Manager >> Settings.\n\n2. Enable \"Check for updates every\" by checking the box.\n\n3. Enter a value greater than 0 in the \"Days\" field to define the update check interval.\n\n4. Enter at least one valid email address in the \"If updates are available, send email notification to\" field.\n\n5. Click \"Submit Changes\" to save the configuration.\n\nIf the ColdFusion server does NOT have access to a patch repository:\n\n1. Develop and maintain documented procedures describing how update notifications will be received.\n\n2. Enroll all administrators in the Adobe automated patch notification service.\n\n3. Retain a copy of the verification or confirmation email demonstrating enrollment.","ccis":["CCI-002605"]},{"vulnId":"V-279102","ruleId":"SV-279102r1171420_rule","severity":"medium","ruleTitle":"Installed versions of ColdFusion must be supported by the vendor.","description":"Running unsupported versions of ColdFusion introduces significant risk to the security and stability of the application environment. Unsupported software no longer receives security patches, bug fixes, or vendor support, leaving known vulnerabilities unaddressed and exploitable by threat actors. These versions may contain flaws that have been publicly disclosed and weaponized, making them an easy target for attackers.\n\nContinuing to use obsolete ColdFusion versions increases the risk of system compromise, data exposure, and unauthorized access to application resources. \n\nEnsuring that only supported and maintained versions of ColdFusion are deployed allows the organization to receive timely updates, apply critical patches, and maintain compliance with DOD security requirements. Removing or upgrading unsupported instances helps reduce the attack surface, mitigate vulnerabilities, and ensure ColdFusion processes operate securely and reliably.","checkContent":"Verify the ColdFusion version. \n\n1. Open the ColdFusion Administrator Console.\n\n2. Identify the version of ColdFusion currently installed (displayed in the upper-right system information icon).\n\n3. Navigate to Adobe's official \"Product and technical support periods\" page:\nhttps://helpx.adobe.com/support/programs/eol-matrix.html\n\n4. Locate the ColdFusion product version in the matrix and review the listed \"End of Core Support\" and/or \"End of Extended Support\" dates.\n\nIf the version of ColdFusion in use has passed its support period (core or extended), this is a finding.","fixText":"Upgrade ColdFusion to a supported version or uninstall the application. All upgrade or uninstall actions must be executed in accordance with an approved application management plan.","ccis":["CCI-000366"]},{"vulnId":"V-279103","ruleId":"SV-279103r1171485_rule","severity":"medium","ruleTitle":"ColdFusion must execute as a nonprivileged user.","description":"Privileged user accounts are accounts that have access to all the system resources. These accounts are reserved for administrative users and applications that have a need for such unfettered access. \n\nBecause ColdFusion does not need to run with access to all the system resources, the ColdFusion services must be set up to execute as unprivileged users. This protects server resources, OS hosted applications, and organization resources should the ColdFusion application server become compromised.","checkContent":"1. For ColdFusion running on Windows, run the snap-in services.msc.\n\na. Locate the ColdFusion section of services.\n\nb. Right-click on each ColdFusion service and select \"Properties\".\n\nc. Select the \"Log On\" tab.\n\nIf any service has \"Local System account\" selected, this is a finding.\n\n2. For each user account of the services that is a local account run the snap-in compmgmt.msc.\n\na. Expand the \"Local Users and Groups\" in the left pane under \"System Tools\" to view the \"Users\" and \"Groups\" folders.\n\nb. Select the \"Users\" folder and the users will be listed in the right pane.\n\nc. Right-click a user that runs a ColdFusion service.\n\nd. Select \"Properties\" on the menu.\n\ne. Select the \"Member Of\" tab.\n\nIf any groups are listed, this is a finding.\n\n3. Click on the \"Remote Desktop Services Profile\" tab.\n\nIf the \"Deny this user permissions to log on to Remote Desktop Session Host server\" is not checked, this is a finding.\n\n4. For each user account of the services that is a domain account, review the groups for each user account on the domain controller.\n\nIf any groups are listed, this is a finding.\n\n5. For ColdFusion running on Linux:\n\na. Change to the bin directory in the ColdFusion instance directory.\n\nb. Execute the command: \ngrep -i -m 1 runtime_user sysinit\n\nc. The user being used to execute ColdFusion will be listed. \n\nd. View the user within the /etc/passwd file.\n\ne. Make note of the user id and group id. For example, if the line in the passwd file is cfuser:x:500:501:ColdFusion:/home/cfuser:/sbin/nologin, the user id is 500 and the group id is 501.\n\nIf the user id or the group id is set to 0, this is a finding.","fixText":"For ColdFusion running on Windows:\n\n1. Create a user for the ColdFusion services locally by running the snap-in compmgmt.msc or on the domain controller.\n\n2. Follow any organization specific policies in place and Windows STIGs for password complexity, usernames, etc. Remove all groups and ensure the user account does not have permission to connect via Remote Desktop.\n\n3. Run the snap-in services.msc.\n\n4. Locate the ColdFusion services.\n\n5. Right-click on a ColdFusion service and select \"Properties\".\n\n6. Select the \"Log On\" tab.\n\n7. Click on the \"This account:\" radio button.\n\n8. Enter the username and password for the user account that was just created.\n\n9. Select \"Ok\" to save the changes.\n\n10. Repeat steps 3 through 9 for each ColdFusion service.\n\nColdFusion running on Linux:\n1. Create a group for the user account that will run the ColdFusion service by executing the command groupadd. For example, if the group being created is webusers, the command would be \"groupadd webusers\".\n\n2. Create the user account for the service by executing the command useradd. For example, if the user being created is cfuser without creating a home directory, the command would be \"useradd -M cfuser\".\n\n3. Lock the user account so that it cannot be used to log in by executing the command usermod. For example, to lock user cfuser, the command would be \"usermod -L cfuser\".\n\n4. Add the user account to the group by executing the command usermod. For example, to add cfuser to the group webusers, the command would be \"usermod -G webusers cfuser\".\n\n5. Change to the bin directory in the ColdFusion instance directory.\n\n6. Edit the sysinit file.\n\n7. Locate the text \"RUNTIME_USER= within sysinit\".\n\n8. Update the user account being used to run the ColdFusion service.","ccis":["CCI-000366"]},{"vulnId":"V-279104","ruleId":"SV-279104r1171486_rule","severity":"medium","ruleTitle":"The ColdFusion Root Administrator account must have a unique username.","description":"The ColdFusion Root Administrator account is an administrative account setup during the installation process. This account has privileges to view, update and delete data within the entire ColdFusion Administrator Console. The account is meant to be used to set up ColdFusion after installation but should only be used in emergency situations once user accounts are created. The account is similar to the Administrator account in Windows or the root account in Linux.\n\nTo help protect the account, the account username should not be admin or administrator. If set up with these usernames, an attacker already knows 50 percent of the information needed to gain access. A unique and not easily guessable username must be used to hinder the discovery of the account credentials.","checkContent":"Verify that the ColdFusion Root Administrator username is not set to a default or easily guessable value such as \"admin\" or \"administrator\" (in any case variation).\n\n1. Locate the neo-security.xml file. The file is typically located in the \"lib\" folder under the ColdFusion instance directory.\n\n2. For ColdFusion on Windows:\n\na. Open neo-security.xml in Notepad. Right-click the file and choose \"Open With Notepad\".\nTip: Enable Word Wrap under the \"Format\" menu for easier reading.\n\nb. Navigate to Edit >> Find and search for:\n'admin.userid.root'>\n\nc. Locate the <string> element immediately following this tag.\n<var name='admin.userid.root'><string>Administrator</string></var>\n\n3. For ColdFusion on Linux:\n\na. Navigate to the directory containing neo-security.xml.\n\nb. Run the following command to extract the relevant tag:\ngrep -ohE \"'admin.userid.root'><string>[^<]*</string>\" neo-security.xml\n\nc. Note the username displayed between <string> and </string>.\n\nIf the Root Administrator username is any uppercase or lowercase variation of \"admin\" or \"administrator\" (Examples: admin, Admin, ADmIN, admInistrAtor, Administrator, ADMINISTRATOR), this is a finding.","fixText":"Change the Root Administrator username to a unique value that is not a variation of \"admin\" or \"administrator\".\n\n1. Locate the neo-security.xml file. The file is typically located in the \"lib\" folder under the ColdFusion instance directory.\n\n2. Make a backup copy of the file before making any modifications.\n\n3. For ColdFusion running on Windows:\n\na. Open neo-security.xml in Notepad. Right-click the file and choose \"Open With Notepad\".\nTip: Enable Word Wrap under the \"Format\" menu for easier reading.\n\nb. Navigate to Edit >> Find and search for:\n'admin.userid.root'>\n\nc. Locate the <string> element that contains the Root Administrator username:\n<var name='admin.userid.root'><string>Administrator</string></var>\n\nd. Replace the existing username with a unique name that is not any case variation of \"admin\" or \"administrator\".\n\ne. Save the file. \n\nf. Restart ColdFusion for the changes to take effect.\n\n4. For ColdFusion running on Linux:\n\na. Navigate to the directory containing neo-security.xml.\n\nb. Open the file neo-security.xml in a preferred text editor (e.g., nano, vim).\n\nc. Locate the <var name='admin.userid.root'> tag:\nThe username appears between the <string> and </string> tags\nExample:\n<var name='admin.userid.root'><string>Administrator</string></var>\n\nd. Replace the existing username with a unique name that is not any case variation of \"admin\" or \"administrator\".\n\ne. Save the file.\n\nf. Restart ColdFusion to apply the changes.\n\n5. Validate that the new username is being used and that the system is operating properly. \n\n6. Once validated, securely delete the backup neo-security.xml file created earlier.","ccis":["CCI-000366"]},{"vulnId":"V-279105","ruleId":"SV-279105r1171428_rule","severity":"medium","ruleTitle":"ColdFusion must protect newly created objects.","description":"During operation, ColdFusion may create objects such as files to store parameters or log data, or pipes to share data between objects. When the objects are created, it is important that the newly created object has the correct permissions. This can be performed by assigning the proper umask value to the running process. For the ColdFusion service, the umask must be set to 007 or more restrictive.","checkContent":"For ColdFusion running on Windows, this finding is not applicable.\n \nColdFusion running on Linux:\n1. Locate the file \"sysinit\" in the bin directory under the ColdFusion instance directory. For example, the file could be found at \\opt\\coldfusion2023\\cfusion\\bin\\sysinit, if the ColdFusion instance directory was \\opt\\coldfusion2023\\cfusion.\n\n2. Edit the \"sysinit\" file.\n\n3. Locate the umask setting. It must be located near the top of the file, but below the #description comment.\n \nIf the umask is not set to 007 or more restrictive, this is a finding.","fixText":"For ColdFusion running on Windows, this finding is not applicable.\n \nColdFusion running on Linux:\n1. Locate the file \"sysinit\" in the bin directory under the ColdFusion instance directory. For example, the file could be found at \\opt\\coldfusion2023\\cfusion\\bin\\sysinit, if the ColdFusion instance directory was \\opt\\coldfusion2023\\cfusion.\n\n2. Edit the \"sysinit\" file.\n\n3. Locate the umask setting. It must be located near the top of the file, but below the #description comment.\n \n4. Set umask setting to 007 or more restrictive.\n\n5. Save and close the file.","ccis":["CCI-000366"]},{"vulnId":"V-279106","ruleId":"SV-279106r1171597_rule","severity":"medium","ruleTitle":"ColdFusion must be configured to set the cookie settings.","description":"Cookies are often used to maintain user sessions in web applications. However, if cookies are not properly managed, they can pose a security risk. Persistent cookies that do not expire when the browser is closed can be exploited by attackers to gain unauthorized access to user sessions. By setting the cookie timeout to -1, ColdFusion ensures that cookies are only valid for the duration of the browser session. This means that when the user closes their browser, the session cookies are automatically deleted, reducing the risk of session hijacking and unauthorized access.\n\nIn ColdFusion, administrators can configure the cookie timeout to -1 to enforce browser-session-based cookies. This setting enhances the security of the application by ensuring that user sessions are terminated when the browser is closed, thereby preventing potential security breaches.\n\nSatisfies: SRG-APP-000516-AS-000237, SRG-APP-000141-AS-000095, SRG-APP-000439-AS-000155, SRG-APP-000441-AS-000258","checkContent":"Verify Session Cookie Settings.\n\nFrom the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables >> Session Cookie Settings.\n\nIf the Cookie Timeout is not set to \"-1\", this is a finding.\n\nIf \"Disable updating ColdFusion internal cookies using ColdFusion tags/functions\" is not checked, this is a finding.\n\nIf the \"Cookie Samesite default value\" is not set to \"Lax\" or \"Strict\" for a default value, this is a finding.","fixText":"Configure Session Cookie Settings.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables >> Session Cookie Settings.\n\n2. If the Cookie Timeout is not set to -1, update the setting to -1 to ensure session cookies do not expire prematurely.\n\n3. If \"Disable updating ColdFusion internal cookies using ColdFusion tags/functions.\" is not checked, enable this setting to prevent unauthorized modification of internal cookies.\n\n4. If the \"Cookie Samesite default value\" is not set to \"Lax\" or \"Strict\", configure it to one of these values to enhance security against cross-site request forgery (CSRF) attacks.\n\n5. Select \"Submit Changes\".","ccis":["CCI-000366","CCI-000381","CCI-002418","CCI-002420"]},{"vulnId":"V-279107","ruleId":"SV-279107r1171430_rule","severity":"medium","ruleTitle":"ColdFusion must be configured to enable Cross-Origin Resource Sharing (CORS) to allow mobile applications to access resources from different origins securely.","description":"CORS is a security feature implemented by web browsers to prevent web pages from making requests to a different domain than the one that served the web page. However, mobile applications often need to access resources from different origins. Enabling CORS allows the server to specify which origins are permitted to access its resources, thereby ensuring secure communication between the mobile application and the server.\n\nIn ColdFusion, administrators can configure ColdFusion to enable CORS by specifying the allowed origins, methods, and headers. This setting enhances the security of the application by ensuring that only trusted origins can access the server's resources, thereby preventing unauthorized access and data breaches.\n\nSatisfies: SRG-APP-000516-AS-000237, SRG-APP-000141-AS-000095","checkContent":"Validate Mobile Services settings.\n\n1. Ask the administrator if ColdFusion Mobile services are being used by any hosted applications.\n\nIf hosted applications are using the service, this is not a finding.\n\n2. From the Admin Console Landing Screen, navigate to Server Settings >> Settings.\n\nIf \"Enable mobile's server workflow\" is checked, this is a finding.\n\n3. Review the \"Enable CORS\" setting.\n\nIf CORS is not enabled, this is a finding.\n\n4. Review the \"Mobile server context\" setting.\n\nIf the mobile server context is set to \"cfmobile\", this is a finding.","fixText":"Configure Mobile Services settings.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings.\n\n2. Uncheck \"Enable mobile's server workflow\" if it is checked.\n\n3. Enable CORS to address this finding if it is not already enabled.\n\n4. Update the mobile server context to a value other than \"cfmobile\" if it is currently set to \"cfmobile\".\n\n5. Select \"Submit Changes\".","ccis":["CCI-000366","CCI-000381"]},{"vulnId":"V-279108","ruleId":"SV-279108r1171098_rule","severity":"medium","ruleTitle":"ColdFusion must be configured to set the HTTPOnly attribute on session cookies to prevent client-side scripts from accessing the cookies.","description":"Session cookies are critical for maintaining user sessions in web applications. However, if these cookies are accessible to client-side scripts, they can be exploited by attackers through cross-site scripting (XSS) attacks. By setting the HTTPOnly attribute on session cookies, ColdFusion ensures that these cookies are not accessible to client-side scripts, thereby mitigating the risk of XSS attacks. This configuration enhances the security of the application by preventing unauthorized access to session cookies and protecting sensitive user information.","checkContent":"Verify Session Cookie setting \"HTTPOnly\".\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables.\n\n2. Locate the options labeled \"Session Cookie Settings\".\n\nIf  \"HTTPOnly\" setting is not enabled (checked) for session cookies, this is a finding.","fixText":"Configure Session Cookie setting.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables.\n\n2. Locate the options labeled \"Session Cookie Settings\".\n\n3. Enable (check) the\"HTTPOnly\" option.\n\n4. Select \"Submit Changes\".","ccis":["CCI-000366"]},{"vulnId":"V-279109","ruleId":"SV-279109r1171101_rule","severity":"medium","ruleTitle":"ColdFusion must be configured to set the Secure attribute on session cookies to ensure that cookies are only transmitted over secure HTTPS connections.","description":"Session cookies are often transmitted over the network, and if they are not protected, they can be intercepted by attackers. By enabling the Secure attribute on session cookies, ColdFusion ensures that these cookies are only transmitted over secure HTTPS connections. This configuration helps protect the confidentiality and integrity of session cookies during transmission, reducing the risk of session hijacking and unauthorized access. Enabling the Secure attribute is a critical security measure to ensure that session cookies are not exposed to potential attackers.","checkContent":"Verify Session Cookie \" Secure Cookie\" setting.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables.\n\n2. Locate the options labeled \"Session Cookie Settings\".\n\nIf \"Secure Cookie\" setting is not enabled (checked) for session cookies, this is a finding.","fixText":"Configure Session Cookie setting.\n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables.\n\n2. Locate the options labeled \"Session Cookie Settings\".\n\n3. Enable (check) the Secure Cookie option.\n\n4. Select \"Submit Changes\".","ccis":["CCI-000366"]},{"vulnId":"V-279110","ruleId":"SV-279110r1171432_rule","severity":"medium","ruleTitle":"ColdFusion must have the Java Runtime Environment (JRE) updated to the latest version.","description":"The JRE is a critical component of the ColdFusion server, providing the necessary runtime environment for executing Java applications. Keeping the JRE updated to the latest version is essential for maintaining the security and stability of the server. Outdated versions of the JRE may contain vulnerabilities that can be exploited by attackers to gain unauthorized access, execute arbitrary code, or cause denial of service. Regularly updating the JRE ensures that the server is protected against known vulnerabilities and benefits from the latest security enhancements and performance improvements.","checkContent":"Verify JRE.\n\n1. From the Admin Console Landing Screen, navigate to the System Information page by clicking the \"i\" button on the right side of the top navbar.\n\n2. Review the Java Version and verify it matches the latest version available.\n\nIf the version is not the latest, this is a finding.","fixText":"Install the latest version of the supported JRE. \n\n1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM.\n\n2. Change the \"Java Virtual Machine Path\" value to the folder with the latest JRE.\n\n3. Select \"Submit Changes\".\n\n4. Restart ColdFusion.","ccis":["CCI-000366"]},{"vulnId":"V-279111","ruleId":"SV-279111r1171107_rule","severity":"medium","ruleTitle":"ColdFusion must have CFIDE blocked in the uriworkermap.properties file.","description":"CFIDE is a directory used by ColdFusion for administrative and development purposes. If access to CFIDE is not properly restricted, it can expose sensitive administrative interfaces and development tools to unauthorized users. This can lead to potential security breaches, including unauthorized access to the ColdFusion Administrator, exposure of sensitive configuration information, and the ability to execute arbitrary code. By blocking access to CFIDE in the uriworkermap.properties file, the ColdFusion server ensures that these critical resources are protected from unauthorized access. Regularly verifying and enforcing the blocking of CFIDE is essential for maintaining a secure server environment and preventing potential security vulnerabilities.","checkContent":"Verify the \"uriworkermap.properties: file.\n\n1. Locate the ColdFusion install folder under the config\\wsconfig\\<number> folders.\n\n2. Review the \"uriworkermap.properties\" files for a line that matches this:\n!/CFIDE* = cfusion\n\nIf the line is not found, this is a finding.","fixText":"Configure the \"uriworkermap.properties: file.\n\n1. Locate the ColdFusion install folder under the config\\wsconfig\\<number> folders.\n\n2. Open and edit the \"uriworkermap.properties\" file and add the line:\n!/CFIDE* = cfusion\n\n3. Save the file.","ccis":["CCI-000366"]},{"vulnId":"V-279112","ruleId":"SV-279112r1171599_rule","severity":"medium","ruleTitle":"ColdFusion must include only approved trust anchors in trust stores or certificate stores managed by the organization.","description":"Trust stores and certificate stores in ColdFusion are used to validate the authenticity of digital certificates during secure communications. If these stores include unapproved or rogue trust anchors they introduce the risk of trusting malicious or compromised certificates. This can lead to man-in-the-middle (MitM) attacks, spoofing of trusted services, or unauthorized data decryption.\n\nOnly including approved trust anchors ensures that ColdFusion trusts only vetted entities for secure communications. This protects against the installation of unauthorized certificates that could be used to intercept or manipulate encrypted traffic.\n\nMaintaining strict control over which trust anchors are included in ColdFusion's trust and certificate stores is essential to upholding the integrity and confidentiality of system communications. It also ensures alignment with enterprise Public Key Infrastructure (PKI) policies and reduces the risk of inadvertently trusting a compromised or untrusted source.","checkContent":"Validate Connection.\n\n1. Open cacert by executing the following command:\nC:\\ColdFusion2023\\jre\\bin\\keytool -list -keystore C:\\ColdFusion2023\\jre\\lib\\security\\cacerts\n\nIf any outbound certificates listed are not approved, this is a finding.\n\n2. In each ColdFusion instance, open the server.xml file:\n<ColdFusion_Installation_Directory>\\cfusion\\runtime\\conf\\server.xml \n\n3. Verify all uncommented connector tags for the word \"keystorefile\":\n\na. Make note of any keystore path and filename.\n\nb. For each file found with the connector tag \"keystorefile\", execute the following command:\nC:\\ColdFusion2023\\jre\\bin\\keytool -list -keystore <keystorefile>\n\nIf any inbound certificates listed are not approved, this is a finding.","fixText":"Configure connection.\n\nFor all untrusted certificates identified execute the following command:\nC:\\ColdFusion2023\\jre\\bin\\keytool -delete -alias \"<certificate alias>\" -keystore <keystorefile>","ccis":["CCI-004909"]},{"vulnId":"V-279129","ruleId":"SV-279129r1171553_rule","severity":"medium","ruleTitle":"ColdFusion must not install the Performance Monitoring Toolset (PMT) Agent Package.","description":"The ColdFusion Performance Monitoring Toolset (PMT) Agent Package provides instrumentation and profiling capabilities that, while useful for performance troubleshooting, introduce unnecessary risk in a DOD environment. The PMT agent collects, stores, and transmits detailed information about ColdFusion server activity, queries, and application behavior. If deployed in production, this agent can inadvertently expose sensitive system details, execution paths, or database query patterns to unauthorized individuals.\n\nThe PMT Agent Package increases the attack surface by adding additional components, services, and ports that must be secured, monitored, and patched. Improperly configured or unmonitored PMT agents could allow adversaries to gain insights into application internals, conduct reconnaissance, or pivot toward exploiting ColdFusion services.\n\nBy prohibiting the installation of the PMT Agent Package, system administrators reduce complexity, limit potential vulnerabilities, and enforce the principle of least functionality.","checkContent":"Verify the PMT Agent Package is not installed.\n\nFrom the Admin Console Landing Screen, navigate to Package Manager>> Packages.\n\nIf the “pmtagent” package is listed under the \"Installed Packages\" section, this is a finding.","fixText":"Uninstall the PMT Agent Package.\n\n1. From the Admin Console Landing Screen, navigate to Package Manager>> Packages.\n\n2. Select the \"pmtagent\" package.\n\n3. Select \"Uninstall\".\n\n4. Select  \"OK\".","ccis":["CCI-001199"]}]}