← Back to Adobe ColdFusion Security Technical Implementation Guide

V-279049

CAT III (Low)

ColdFusion must be configured with autoDeploy disabled.

Rule ID

SV-279049r1171519_rule

STIG

Adobe ColdFusion Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000381

Discussion

ColdFusion uses Tomcat for HTTP and AJP connectivity. Tomcat allows auto-deployment of applications while Tomcat is running. This can allow untested or malicious applications to be automatically loaded into production. AutoDeploy must be disabled in production. This requirement is NA for test and development systems on nonproduction networks.

Check Content

Review the autoDeploy configuration in server.xml.

1. Locate the server.xml file. For each ColdFusion instance, navigate to: 
&lt;ColdFusion_Installation_Directory&gt;\cfusion\runtime\conf\server.xml

2. Review the server.xml configuration by opening the server.xml file in a text editor.

3. Search for all &lt;Host&gt; elements.

4. Check the autoDeploy Attribute. Inspect each &lt;Host&gt; element for the autoDeploy setting.

If any &lt;Host&gt; element has "autoDeploy="true"", this is a finding.

Fix Text

Disable autoDeploy in server.xml.

1. Locate the server.xml file. For each ColdFusion instance, navigate to: 
&lt;ColdFusion_Installation_Directory&gt;\cfusion\runtime\conf\server.xml

2. Before making any changes, create a backup copy of the file.

Windows Example:
copy server.xml server.xml.bak

Linux Example:
cp server.xml server.xml.bak

3. Edit the configuration by opening server.xml in a text editor with administrative privileges.

4. Locate all &lt;Host&gt; elements with:
autoDeploy="true"

5. Change all attributes to:
autoDeploy="false"

6. Restart ColdFusion to apply the configuration changes.

7. Confirm that ColdFusion services started successfully.

8. Reopen server.xml to confirm that autoDeploy="false" is set for all &lt;Host&gt; elements.