Rule ID
SV-279048r1171516_rule
Version
V1R1
CCIs
CCI-000381
The deployXML setting in Tomcat controls whether the server will automatically deploy and process context.xml files found within web application directories. When enabled, this feature allows web applications to define their own context-level configurations, which may override secure global settings or introduce insecure configurations without administrator knowledge or oversight. Allowing applications to self-deploy XML configuration files increases the risk of misconfiguration, privilege escalation, or malicious reconfiguration. Disabling deployXML enforces centralized control over context configurations, reduces the risk of insecure deployments, and aligns with the principle of least functionality.
DeployXML Configuration in server.xml. 1. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Review the server.xml configuration by opening the server.xml file in a text editor. 3. Search for all <Host> elements. 4. Check the deployXML attribute. Inspect each <Host> element for the deployXML setting. If any <Host> element has "deployXML="true"", this is a finding.
Disable deployXML in server.xml. 1. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Before making any changes, create a backup copy of the file. Windows Example: copy server.xml server.xml.bak Linux Example: cp server.xml server.xml.bak 3. Edit the configuration by opening server.xml in a text editor with administrative privileges. 4. Locate all <Host> elements with: deployXML="true" 5. Change all attributes to: deployXML="false" 6. Restart ColdFusion to apply the configuration changes. 7. Confirm that ColdFusion services started successfully. 8. Reopen server.xml to confirm that deployXML="false" is set for all <Host> elements.