← Back to Adobe ColdFusion Security Technical Implementation Guide

V-279061

CAT II (Medium)

ColdFusion must only transmit encrypted representations of passwords to the caching server.

Rule ID

SV-279061r1171537_rule

STIG

Adobe ColdFusion Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000197

Discussion

Redis is an in-memory data structure store used as a database, cache, and message broker. When data is transmitted between ColdFusion and the Redis caching server without encryption, it is vulnerable to interception and unauthorized access. This can lead to the exposure of sensitive information, including cached data, session information, and other confidential data. By requiring the Redis caching server connection to use encryption for data transmission, ColdFusion ensures that the credentials and data are protected from eavesdropping and tampering. This practice helps maintain the confidentiality and integrity of the data, thereby enhancing the overall security of the server and the applications it hosts. Regularly verifying and enforcing with encryption for all Redis caching server connections is essential for maintaining a secure server environment.

Check Content

Verify Redis Cache encryption.

From the Admin Console Landing Screen, navigate to Server Settings &gt;&gt; Caching.

If the "Redis Server" setting is "localhost" or blank, this requirement is not a finding.

If "Password" is blank, this is not a finding.

If "Is SSL Enabled" is unchecked, this is a finding.

Fix Text

Configure Redis Cache encryption.

1. From the Admin Console Landing Screen, navigate to Server Settings &gt;&gt; Caching.

2. Enable encryption by checking "Is SSL Enabled".

3. Select "Submit Changes".