STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Adobe ColdFusion Security Technical Implementation Guide

Version

V1R1

Benchmark ID

Adobe_ColdFusion_STIG

Total Checks

84

Tags

other

CAT I: 7CAT II: 64CAT III: 13

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (84)

V-279030LOWColdFusion must limit concurrent sessions to the Administrator Console.V-279031MEDIUMThe ColdFusion built-in Tomcat Web Server must use FIPS-validated ciphers on secured connectors.V-279032MEDIUMColdFusion must require enforced authentication.V-279033LOWColdFusion must not have local users.V-279034LOWColdFusion must produce log records containing information to establish what type of events occurred.V-279035LOWColdFusion must log scheduled tasks.V-279036MEDIUMThe ColdFusion log information must be protected from any type of unauthorized read access by having file ownership set properly.V-279037LOWThe ColdFusion file ownership and permissions must be restricted to prevent unauthorized access to log tools.V-279038MEDIUMBefore installing or upgrading ColdFusion, the integrity of the installation package must be manually verified.V-279039MEDIUMCritical ColdFusion directories must have secure file system permissions and ownership.V-279040MEDIUMColdFusion must configure WebSocket Service.V-279041MEDIUMColdFusion must have Event Gateway Services disabled when not in use.V-279042MEDIUMColdFusion must have Remote Development Services (RDS) disabled.V-279043LOWColdFusion must have example services removed.V-279044MEDIUMColdFusion must disable all remote and client-side debugging features, including Remote Inspection, Robust Exception Information, AJAX Debug Log Window, and Line Debugging.V-279045MEDIUMColdFusion must have any unused mappings removed.V-279046LOWColdFusion must have Central Configuration Server (CCS) disabled.V-279047LOWColdFusion must have only approved Tomcat connectors enabled.V-279048LOWColdFusion must have Tomcat configured with deployXML disabled.V-279049LOWColdFusion must be configured with autoDeploy disabled.V-279050MEDIUMColdFusion must be configured with secure and approved server settings to enforce application hardening, input validation, error handling, and protection against common web vulnerabilities.V-279051LOWColdFusion must have the sample data directories removed.V-279052LOWColdFusion must have the CFSTAT feature disabled when not in use.V-279053MEDIUMColdFusion must disable the In-Memory File System.V-279054MEDIUMColdFusion must restrict unauthorized remote access to the ColdFusion Administrator Console and ensure all ports used are approved and properly secured.V-279055HIGHColdFusion must be using an enterprise solution for authentication.V-279056MEDIUMWeb services using Simple Object Access Protocol (SOAP) to access sensitive data must be secured with WS-Security.V-279057MEDIUMColdFusion must store only encrypted representations of passwords.V-279058MEDIUMColdFusion must transmit only encrypted representations of passwords to NoSQL data sources.V-279059MEDIUMColdFusion must only transmit encrypted representations of passwords to the Solr Server.V-279060MEDIUMColdFusion must transmit only encrypted representations of passwords to the mail server.V-279061MEDIUMColdFusion must only transmit encrypted representations of passwords to the caching server.V-279062MEDIUMJVM Arguments must be configured for encryption.V-279063MEDIUMColdFusion must be configured to use only DOD-approved keystores and truststores containing certificates issued by a DOD Public Key Infrastructure (PKI) Certificate Authority (CA), and all keystore and truststore files must be protected by file system permissions that prevent unauthorized access or modification.V-279064MEDIUMThe ColdFusion Administrator Console must be hosted on a management network.V-279065MEDIUMColdFusion must have sandboxes enabled and defined.V-279066MEDIUMColdFusion must separate the hosted application from the web server.V-279067MEDIUMColdFusion must be configured to mutually authenticate connecting proxies and load balancers.V-279068HIGHColdFusion must generate a unique session identifier using a FIPS 140-2/140-3 or higher approved random number generator.V-279069MEDIUMColdFusion systems must provide clustering.V-279070MEDIUMColdFusion must be configured to support integration with a third-party Security Information and Event Management (SIEM) to support notifications.V-279071MEDIUMColdFusion must have the Tomcat DefaultServlet debug parameter disabled.V-279072MEDIUMThe ColdFusion error messages must be restricted to only authorized users.V-279073MEDIUMColdFusion must set a maximum session timeout value.V-279074MEDIUMColdFusion must control remote access to the Administrator Console.V-279075HIGHColdFusion must control remote access to Exposed Services.V-279076LOWColdFusion must allocate log record storage capacity.V-279077MEDIUMColdFusion must record time stamps for log records that can be mapped system time.V-279078MEDIUMFor PKI-based authentication, ColdFusion must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.V-279079MEDIUMColdFusion must set Request Tuning configurations.V-279080MEDIUMColdFusion must limit the maximum number of threads available for CFTHREAD.V-279081MEDIUMColdFusion must limit the maximum number of Web Service requests.V-279082MEDIUMColdFusion must limit the maximum number of ColdFusion Component (CFC) function requests.V-279083MEDIUMColdFusion must configure Data Sources to limit SQL command and configure timeout.V-279084MEDIUMColdFusion must not store user information in the server registry.V-279085MEDIUMColdFusion must limit the in-memory size of the virtual file system.V-279086MEDIUMColdFusion must limit the default maximum thread count for parallel functions.V-279087MEDIUMColdFusion must limit the maximum post data size.V-279088MEDIUMColdFusion must limit the request throttle memory.V-279089MEDIUMColdFusion must set an organization defined maximum number of cached templates.V-279090MEDIUMColdFusion must set an organization defined maximum JVM heap size.V-279091MEDIUMColdFusion must set a nonzero timeout for web services.V-279092HIGHJVM Arguments must be configured for Transport Layer Security (TLS) 1.2 or higher.V-279093HIGHColdFusion must configure Lightweight Directory Access Protocol (LDAP) for Transport Layer Security (TLS).V-279094HIGHColdFusion must remove all export ciphers to protect the confidentiality and integrity of transmitted information.V-279095HIGHJVM arguments must be configured to use approved cryptographic mechanisms to protect data in transit.V-279096MEDIUMColdFusion must encrypt patch retrieval.V-279097MEDIUMColdFusion must ensure that ColdFusion Package Manager (cfpm) packages are transmitted using encrypted protocols.V-279098MEDIUMThe ColdFusion administrator must be using HTTPS to maintain the confidentiality and integrity of information during reception.V-279099MEDIUMColdFusion Backup Directory must be deleted.V-279100MEDIUMColdFusion must be set to automatically check for updates.V-279101MEDIUMColdFusion must have notifications enabled when a server update is available.V-279102MEDIUMInstalled versions of ColdFusion must be supported by the vendor.V-279103MEDIUMColdFusion must execute as a nonprivileged user.V-279104MEDIUMThe ColdFusion Root Administrator account must have a unique username.V-279105MEDIUMColdFusion must protect newly created objects.V-279106MEDIUMColdFusion must be configured to set the cookie settings.V-279107MEDIUMColdFusion must be configured to enable Cross-Origin Resource Sharing (CORS) to allow mobile applications to access resources from different origins securely.V-279108MEDIUMColdFusion must be configured to set the HTTPOnly attribute on session cookies to prevent client-side scripts from accessing the cookies.V-279109MEDIUMColdFusion must be configured to set the Secure attribute on session cookies to ensure that cookies are only transmitted over secure HTTPS connections.V-279110MEDIUMColdFusion must have the Java Runtime Environment (JRE) updated to the latest version.V-279111MEDIUMColdFusion must have CFIDE blocked in the uriworkermap.properties file.V-279112MEDIUMColdFusion must include only approved trust anchors in trust stores or certificate stores managed by the organization.V-279129MEDIUMColdFusion must not install the Performance Monitoring Toolset (PMT) Agent Package.