← Back to Adobe ColdFusion Security Technical Implementation Guide

V-279092

CAT I (High)

JVM Arguments must be configured for Transport Layer Security (TLS) 1.2 or higher.

Rule ID

SV-279092r1171584_rule

STIG

Adobe ColdFusion Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002418

Discussion

Preventing the disclosure of transmitted information requires that ColdFusion take measures to employ some form of cryptographic mechanism to protect the information during transmission. This is usually achieved TLS. TLS must be enabled, and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. ColdFusion uses JVM to control the encryption of transmitted data. Settings for JVM can be controlled within the Administrator Console to configure the JVM to only use FIPS 140-2/140-3 or higher approved TLS and disable non-FIPS SSL versions.

Check Content

Verify JVM Arguments for TLS.

From the Admin Console Landing Screen, navigate to Server Settings &gt;&gt; Java and JVM.

The parameter -Dhttps.protocols is used to set the TLS versions. Valid values for this setting must be TLS versions 1.2 or higher. 

Example: Dhttps.protocols=TLSv1.2,TLSv1.3 

If the "JVM arguments" setting does not contain the parameter "Dhttps.protocols" or if the parameter "Dhttps.protocols" contains any unapproved protocols or versions, this is a finding.

Fix Text

Configure JVM Arguments for TLS.

1. From the Admin Console Landing Screen, navigate to Server Settings &gt;&gt; Java and JVM.

2. In Section JVM Arguments, add the parameter "-Dhttps.protocols" and set the parameter to the TLS versions to be used. 

Example: Dhttps.protocols=TLSv1.2,TLSv1.3 

3. Select "Submit Changes".

4. Restart ColdFusion for the changes take effect.