Rule ID
SV-279031r1171492_rule
Version
V1R1
CCIs
CCI-001453
Using only FIPS 140-2/140-3 or higher approved cryptographic modules for encryption helps ensure the confidentiality and integrity of transmitted data. Allowing using non-FIPS-approved or outdated encryption modules increases the attack surface and exposes the system to known vulnerabilities. Attacks such as POODLE and its variants exploit weaknesses in noncompliant cryptographic protocols by forcing HTTPS communications to downgrade to insecure cipher suites. This allows an attacker to decrypt sensitive data through man-in-the-middle techniques. Enforcing FIPS 140-2/140-3 and higher validated modules mitigates this risk by preventing fallback to weak encryption algorithms.
Verify FIPS Mode in Configuration. 1. For each ColdFusion instance, locate the server.xml file in the following directory: <ColdFusion Install Directory>\runtime\conf 2. Open server.xml. 3. Search for the <Listener> tag for AprLifecycleListener, confirm that it includes the attribute: fipsmode="on" If the fipsmode="on" attribute is not present, this is a finding. 4. Verify FIPS Mode at Runtime. After starting ColdFusion, open the coldfusion-error.log file. 5. Search for the term "fipsmode". 6. Check for the following message: failed to set property[FIPSMODE] to [on] If this error message is present in the log, this is a finding.
1. Enable FIPS Mode in Tomcat by editing the Tomcat server.xml configuration file.
2. From the Tomcat server, log in as a privileged user, open the server.xml file:
sudo nano $CATALINA_BASE/conf/server.xml
3. Locate or add the <Listener> element for AprLifecycleListener.
4. Ensure the element includes the FIPSMode="on" attribute.
Example configuration:
<Listener
className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on"
FIPSMode="on"
/>
5. Save and close the file.
6. Restart ColdFusion to apply the changes.
7. Check coldfusion-error.log after startup to confirm there are no errors indicating failure to set FIPSMode.