V-279079

Discussion

To reduce the possibility or effect of a denial of service (DoS), ColdFusion must employ defined security safeguards. These safeguards will be determined by the placement of ColdFusion and the type of applications being hosted within ColdFusion framework. Report threads are used to process reports concurrently. Since reporting in most applications is a process that is not time sensitive or heavily used, this setting should be minimized to minimize resource use on ColdFusion and to minimize a method that could be used to exhaust resources by an attacker. Unless reporting is heavily used, the number of simultaneous report threads must be set to 1.

Check Content

Verify Request Tuning Configurations.

1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning.

If "Maximum number of simultaneous Report threads" is not set to "1", this is a finding.

If the "Maximum number of simultaneous Template requests" is not set to the maximum number of requests (or 24, whichever is higher), this is a finding.

If "Timeout requests waiting in queue after" setting is higher than "5", this is a finding.

2. Validate that "Request Queue Timeout Page" is set to a valid and custom page.

If "Request Queue Timeout Page" is blank or is set to "/CFIDE/administrator/templates/request_timeout_error.cfm", this is a finding.

3. Validate the file exists. The path and file given are relevant to the web servers' document root directory and not the OS root directory. For example, if the web servers' document root is /opt/webserver/wwwroot and the "Request Queue Timeout Page" is set to /CFIDE/administrator/templates/timeout_error.cfm, the full path to the template file is /opt/webserver/wwwroot/CFIDE/administrator/templates/timeout_error.cfm.

If the "Request Queue Timeout Page" setting is not set to a valid page, this is a finding.