V-279038

Discussion

The hash verification process must be performed using an approved hashing algorithm to ensure the package has not been altered, tampered with, or corrupted during transfer. If the computed hash does not exactly match the official vendor hash, the installation or upgrade must not proceed, and the discrepancy must be investigated and resolved prior to deployment. Failure to verify the cryptographic hash of ColdFusion installation or upgrade packages exposes the system to potential compromise. A malicious actor could modify the package to include backdoors, vulnerabilities, or unauthorized code. If the altered package is installed, it may provide an attacker with privileged access to the system, compromise sensitive data, or disrupt operations. Manually verifying the vendor-provided hash ensures the authenticity and integrity of the package before installation, protecting against supply chain attacks and unauthorized modifications.

Check Content

Verify hash by obtaining the official cryptographic hash for the ColdFusion installation or upgrade package from the Adobe-provided source.

1. On the system where the package is stored, compute the hash value using an approved tool (e.g., certutil on Windows or sha256sum on Linux).

Windows Example:
certutil -hashfile ColdFusionInstaller.exe SHA256

Linux Example:
sha256sum ColdFusionInstaller.bin

2. Compare the computed hash against the vendor-provided hash value.

If the computed hash does not exactly match the vendor-provided hash, this is a finding.

If there is no documented evidence that a manual hash verification was performed prior to installation or upgrade, this is a finding.