V-279067

Discussion

Mutual authentication between connecting proxies, application servers, or gateways is essential for ensuring secure communication and preventing unauthorized access. Without mutual authentication, there is a risk that an attacker could impersonate a trusted component, leading to potential data breaches and other security incidents. Mutual authentication helps verify the identities of both parties involved in the communication, ensuring that only trusted entities can interact with ColdFusion. This process involves the exchange of certificates and the validation of these certificates against a trusted certificate authority. By implementing mutual authentication, ColdFusion can establish a secure and trusted communication channel, protect sensitive data and maintain the integrity of the system. Therefore, it is crucial to configure ColdFusion to mutually authenticate all connecting proxies, application servers, or gateways to enhance security and prevent unauthorized access.

Check Content

Validate SSL Certificate.

1. Identify any proxy servers or load balancers that provide services for the Tomcat server. If there are no load balancers or proxies in use, this is not a finding.

2. Identify each ColdFusion IP address that is served by a load balancer or proxy. Locate the configuration file. For each ColdFusion instance, navigate to: 
<ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml

3. Open the server.xml file in a text editor and review each <Connector> element for the address setting and the clientAuth setting.

If a connector has a configured IP address that is proxied or load balanced and the clientAuth setting is not "true", this is a finding.

4. Locate the configuration file. For each ColdFusion instance, navigate to: 
<ColdFusion_Installation_Directory>\cfusion\runtime\conf\web.xml

5. Open the web.xml file in a text editor.

If "<login-config><auth-method>CLIENT-CERT</auth-method></login-config>" is not present under the web-app tag, this is a finding.