STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Adobe ColdFusion Security Technical Implementation Guide

V-279065

CAT II (Medium)

ColdFusion must have sandboxes enabled and defined.

Rule ID

SV-279065r1171383_rule

STIG

Adobe ColdFusion Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001082, CCI-000366

Discussion

ColdFusion consists of two distinct components: the Administrator Console and the hosted applications. Separating these components is essential for enforcing strict access control and limiting exposure of administrative functionality. By requiring privileged authentication to access the Administrator Console, ColdFusion ensures that nonprivileged users cannot view or interact with system-level management features. This prevents unauthorized users from gaining insight into administrative capabilities or system configurations, reducing the risk of privilege escalation or targeted attacks. Isolating the Administrator Console within its own sandboxed environment further strengthens security by preventing hosted applications from accessing, reusing, or modifying administrative objects or code. This containment ensures that management operations and configuration data are protected from unintended or malicious interaction by hosted application processes. In the event a hosted application is compromised, this isolation prevents the attacker from pivoting into the administrative layer of the application server. This architecture enforces proper input validation and access control between application tiers and components, helping prevent unauthorized access to privileged functions, configuration data, or sensitive objects. It supports a layered defense model by limiting trust boundaries and reducing the likelihood of administrative compromise due to application-level vulnerabilities. Satisfies: SRG-APP-000211-AS-000146, SRG-APP-000516-AS-000237

Check Content

Verify Sandbox Security.

1. From the Admin Console Landing Screen, navigate to Server Security >> Sandbox Security.

2. The Administrator Console must have a sandbox separate from the other hosted applications.

If there are no sandboxes implemented for the Administrator Console, this is a finding.

3. Sandboxes must be set up for all other hosted applications. 

If there are no sandboxes implemented for other hosted applications, this is a finding.

If the "Enable ColdFusion Sandbox Security" is not checked, this is a finding.

Fix Text

Configure Sandbox Security.

1. From the Admin Console Landing Screen, navigate to Server Security >> Sandbox Security.

2. Check the "Enable ColdFusion Sandbox Security".

3. Create sandboxes for the applications.

4. Create a sandbox for the Administrator Console.

5. Select "Submit Changes".