← Back to Adobe ColdFusion Security Technical Implementation Guide

V-279047

CAT III (Low)

ColdFusion must have only approved Tomcat connectors enabled.

Rule ID

SV-279047r1171513_rule

STIG

Adobe ColdFusion Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000381

Discussion

Tomcat connectors define how ColdFusion communicates with clients and other services, typically over HTTP, HTTPS, or AJP protocols. Enabling unnecessary or unapproved connectors increases the attack surface and may expose the server to vulnerabilities associated with those protocols. To minimize risk, only approved and secure Tomcat connectors should be enabled in ColdFusion. All others must be disabled or removed from the configuration. This reduces the number of potential entry points for an attacker and helps enforce the principle of least functionality.

Check Content

Review SSP for list of approved connectors and associated TCP/IP ports. Verify only approved connectors are present.

1. Locate the server.xml file. For each ColdFusion instance, navigate to: 
&lt;ColdFusion_Installation_Directory&gt;\cfusion\runtime\conf\server.xml

2. Open the server.xml file in a text editor. Locate the "Connector" tags that are not commented out.

3. Verify all connectors and their associated network ports are approved in the system security plan (SSP).

If connectors are found but are not approved in the SSP, this is a finding.

Fix Text

1. Obtain information system security officer (ISSO) approvals for the configured connectors and document in the SSP.

2. Locate the server.xml file. For each ColdFusion instance, navigate to: 
&lt;ColdFusion_Installation_Directory&gt;\cfusion\runtime\conf\server.xml

3. Create a backup of this file.

4. Edit the file and remove any unapproved connectors by deleting the "Connector" tag or using XML syntax to comment out the configuration. XML comment syntax starts with &lt;!-- and ends with --&gt;