Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-62541 | CF11-06-000225 | SV-77031r1_rule | Medium |
Description |
---|
Installation of patches and updates is performed when there are errors or security vulnerabilities in the current release of the software. When previous versions of software components are not removed from the application server after updates have been installed, an attacker may use the older components to exploit the system. ColdFusion creates a backup directory for an update when installed. This backup directory allows the SA to uninstall the update if an error occurs or incompatibility is found with the hosted applications. Once the update is tested and found to work correctly, the backup directory must be removed so that the update cannot be uninstalled. |
STIG | Date |
---|---|
Adobe ColdFusion 11 Security Technical Implementation Guide | 2015-11-02 |
Check Text ( C-63345r1_chk ) |
---|
Within the Administrator Console, navigate to the "Updates" page under the "Server Update" menu. Within the "Installed Updates" tab, locate the backup directory location for each update that is installed. On the server running the ColdFusion server, verify that the backup directories do not exist for any of the updates. If all updates have been tested/verified and any of the backup directories exist, this is a finding. Note: Do not remove the backup directory for an update until the update has been tested and verified that the ColdFusion server is operating correctly. |
Fix Text (F-68461r1_fix) |
---|
Navigate to the "Updates" page under the "Server Update" menu within the Administrator Console. Within the "Installed Updates" tab, locate the backup directory location for any updates installed. On the server running the ColdFusion server, remove all backup directories for any updates installed. Note: Do not remove the backup directory for an update until the update has been tested and verified that the ColdFusion server is operating correctly. |