V-279040

Discussion

Application servers provide a wide range of features and services, many of which may not be necessary or secure for a production DOD environment. One such feature is the ColdFusion WebSocket Service, which supports real-time, bidirectional communication for applications such as dashboards, online gaming, social networking, and live data feeds. This service communicates over HTTP or HTTPS using a proxy or the built-in WebSocket server. When enabled, the WebSocket Service consumes system resources and may introduce security risks if not properly configured or if left unused. These risks include unauthorized access, input injection, session hijacking, and the ability to bypass traditional security controls such as firewalls and proxies. If the WebSocket service is not actively required by hosted applications, it should be disabled to free up system resources and reduce the overall attack surface. When used, the WebSocket service must be securely configured. Satisfies: SRG-APP-000141-AS-000095, SRG-APP-000172-AS-000120, SRG-APP-000435-AS-000163, SRG-APP-000442-AS-000259

Check Content

Verify the ColdFusion WebSocket configuration.

1. From the Admin Console Landing Screen, navigate to Server Settings >> WebSocket.

If the "websocket" package is not installed, this is Not Applicable.

2. If "Enable WebSocket Service" is checked:
If "Use Proxy" is selected and the "Port" setting is checked, this is a finding. Non-SSL WebSocket is not permitted.

3. If "Use Built-in WebSocket Server" is selected and the "Port" setting is checked, this is a finding. Non-SSL WebSocket is not permitted.

4. If SSL Port is not checked, this is a finding.

5. Verify SSL Port is an approved port. If not, this is a finding.

6. If "Start Flash Policy Server" is checked, this is a finding.

7. If "Max Data Size" is over the required maximum size, this is a finding.