V-279112

Discussion

Trust stores and certificate stores in ColdFusion are used to validate the authenticity of digital certificates during secure communications. If these stores include unapproved or rogue trust anchors they introduce the risk of trusting malicious or compromised certificates. This can lead to man-in-the-middle (MitM) attacks, spoofing of trusted services, or unauthorized data decryption. Only including approved trust anchors ensures that ColdFusion trusts only vetted entities for secure communications. This protects against the installation of unauthorized certificates that could be used to intercept or manipulate encrypted traffic. Maintaining strict control over which trust anchors are included in ColdFusion's trust and certificate stores is essential to upholding the integrity and confidentiality of system communications. It also ensures alignment with enterprise Public Key Infrastructure (PKI) policies and reduces the risk of inadvertently trusting a compromised or untrusted source.

Check Content

Validate Connection.

1. Open cacert by executing the following command:
C:\ColdFusion2023\jre\bin\keytool -list -keystore C:\ColdFusion2023\jre\lib\security\cacerts

If any outbound certificates listed are not approved, this is a finding.

2. In each ColdFusion instance, open the server.xml file:
<ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 

3. Verify all uncommented connector tags for the word "keystorefile":

a. Make note of any keystore path and filename.

b. For each file found with the connector tag "keystorefile", execute the following command:
C:\ColdFusion2023\jre\bin\keytool -list -keystore <keystorefile>

If any inbound certificates listed are not approved, this is a finding.