Rule ID
SV-279068r1172825_rule
Version
V1R1
CCIs
CCI-001188
ColdFusion uses session IDs to communicate between modules or applications within ColdFusion and between ColdFusion and users. The session ID allows the application to track the communications along with credentials that may have been used to authenticate users or modules. Unique session IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of said identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.
Review the random number generator for generating session identifiers. 1. Locate the java.security file for the Java Runtime Environment (JRE) used by ColdFusion located at: <ColdFusion_Installation_Directory>\jre\conf\security\java.security 2. Open the java.security file in a text editor. 3. Locate the following setting: securerandom.strongAlgorithms 4. Verify that the value includes a FIPS 140-2/140-3 or higher approved random number generator. For example: securerandom.strongAlgorithms=DRBG:SUN If the securerandom.strongAlgorithms setting does not exist or does not specify a FIPS 140-2/140-3 or higher approved algorithm, this is a finding.
Configure the random number generator for generating session identifiers. 1. Open the java.security file located at: <ColdFusion_Installation_Directory>\jre\conf\security\java.security 2. Locate or add the securerandom.strongAlgorithms property and configure it to use a FIPS-approved RNG. For example: securerandom.strongAlgorithms=DRBG:SUN 3. Save the file and restart ColdFusion to apply changes.