UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

ColdFusion must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which logable events are to be logged.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62371 CF11-02-000034 SV-76861r1_rule Medium
Description
ColdFusion utilizes role-based access controls in order to specify those individuals who are able to configure logable events. Allowing users other than the ISSM and appointed individuals access to turn logged events on or off allows a user to mask their actions by disabling logging. By enabling excessive logging or by enabling debugging, a user can generate logged events containing information that can be used to later attack the system or gain access to Personally Identifiable Information (PII).
STIG Date
Adobe ColdFusion 11 Security Technical Implementation Guide 2015-11-02

Details

Check Text ( C-63175r1_chk )
Review the roles assigned to the defined users within the "User Manager" page under the "Security" menu. Only the ISSM, or users appointed by the ISSM to change logable events, may have the following roles:
Debugging and Logging>Logging
Debugging and Logging>Code Analyzer
Debugging and Logging>Debugging
Debugging and Logging>License Scanner
Debugging and Logging>System Probes

If any other users have any of these roles, then this is a finding.
Fix Text (F-68291r1_fix)
Navigate to the "User Manager" page under the "Security" menu and assign the following roles to the ISSM and users appointed by the ISSM to change logable events.
Debugging and Logging>Logging
Debugging and Logging>Code Analyzer
Debugging and Logging>Debugging
Debugging and Logging>License Scanner
Debugging and Logging>System Probes