UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Adobe ColdFusion 11 Security Technical Implementation Guide


Overview

Date Finding Count (100)
2016-09-21 CAT I (High): 12 CAT II (Med): 83 CAT III (Low): 5
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-62413 High ColdFusion must have Remote Development Services (RDS) disabled.
V-62487 High ColdFusion must limit the SQL commands available.
V-62407 High ColdFusion must disable Flash Remoting support.
V-62365 High ColdFusion must require a username and password for access by each authorized user access.
V-62519 High ColdFusion must prevent JavaScript Object Notation (JSON) hijacking of data.
V-62527 High ColdFusion must have Robust Exception Information disabled.
V-62351 High ColdFusion must implement cryptography mechanisms to protect the integrity of the remote access session.
V-62529 High ColdFusion must have AJAX Debug Log Window disabled.
V-62445 High ColdFusion must contain the most recent update.
V-62533 High ColdFusion must have Allow Line Debugging disabled.
V-62531 High ColdFusion must have Request Debugging Output disabled.
V-62423 High ColdFusion must have Remote Inspection disabled.
V-62499 Medium ColdFusion must set a timeout for requests.
V-62495 Medium ColdFusion must limit the maximum number of simultaneous Report threads.
V-62497 Medium ColdFusion must limit the maximum number of threads available for CFTHREAD.
V-62491 Medium ColdFusion must limit the maximum number of Web Service requests.
V-62493 Medium ColdFusion must limit the maximum number of CFC function requests.
V-62415 Medium ColdFusion must have Remote Adobe LiveCycle Data Management access disabled.
V-62417 Medium ColdFusion must have the WebSocket Service disabled.
V-62411 Medium ColdFusion must have Event Gateway Services disabled.
V-62419 Medium ColdFusion must have example data sources removed.
V-62385 Medium ColdFusion must send log records to the operating system logging facility.
V-62387 Medium ColdFusion must allocate log record storage capacity in accordance with organization-defined log record storage requirements.
V-62381 Medium The ColdFusion log information must be protected from any type of unauthorized deletion through the Administrator Console.
V-62383 Medium The ColdFusion log information must be protected from any type of unauthorized deletion by having file permissions set properly.
V-62389 Medium ColdFusion log records must be off-loaded onto a different system or media from the system being logged.
V-62369 Medium When ColdFusion is configured in a clustered configuration, ColdFusion must be configured to write log records from the clustered system components into a system-wide log trail that can be correlated.
V-62489 Medium ColdFusion must set a query timeout for Data Sources.
V-62483 Medium ColdFusion must not store user information in the server registry.
V-62481 Medium ColdFusion, when part of a mission critical system, must be in a high-availability (HA) cluster.
V-62485 Medium ColdFusion must limit the maximum number of Flash Remoting requests.
V-62403 Medium ColdFusion must protect software libraries from being changed by OS users.
V-62401 Medium ColdFusion must limit privileges, within the Administrator Console, to change the software resident within software libraries.
V-62405 Medium ColdFusion must only allow approved file extensions.
V-62409 Medium ColdFusion must disable the In-Memory File System.
V-62393 Medium The ColdFusion log information must be protected from any type of unauthorized read access by having file ownership set properly.
V-62391 Medium ColdFusion logs must, at a minimum, be transferred simultaneously for interconnected systems and transferred weekly for standalone systems.
V-62397 Medium The ColdFusion log information must be protected from any type of unauthorized deletion by having file ownership set properly.
V-62395 Medium The ColdFusion log information must be protected from any type of unauthorized modification by having file ownership set properly.
V-62399 Medium ColdFusion must limit applications from changing shared Java components.
V-62477 Medium ColdFusion must provide a clustering capability.
V-62475 Medium ColdFusion must set session cookies as browser session cookies.
V-62473 Medium ColdFusion must use J2EE session variables.
V-62471 Medium ColdFusion must enable UUID for session identifier generation.
V-62367 Medium ColdFusion must require each user to authenticate with a unique account.
V-62363 Medium ColdFusion must control user access to Exposed Services.
V-62361 Medium ColdFusion must control remote access to Exposed Services.
V-62465 Medium The ColdFusion Administrator Console must be hosted in a management sandbox.
V-62509 Medium ColdFusion must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.
V-62467 Medium ColdFusion must disable creation of unnamed applications.
V-62461 Medium Only authenticated system administrators or the designated PKI Sponsor for ColdFusion must have access to ColdFusions private key.
V-62463 Medium The ColdFusion Administrator Console must be hosted on a management network.
V-62503 Medium ColdFusion must limit the time-out for requests waiting in the queue.
V-62375 Medium The ColdFusion log information must be protected from any type of unauthorized read access through the Administrator Console.
V-62501 Medium ColdFusion must set a timeout for logins.
V-62377 Medium The ColdFusion log information must be protected from any type of unauthorized read access by having file permissions set properly.
V-62507 Medium ColdFusion must limit the maximum number of POST requests parameters.
V-62469 Medium ColdFusion must not allow application variables to be added to Servlet Context.
V-62349 Medium ColdFusion must use cryptography mechanisms to protect the integrity of data sent to the PDF Service.
V-62479 Medium ColdFusion must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
V-62451 Medium ColdFusion must authenticate users individually.
V-62453 Medium ColdFusion must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.
V-62455 Medium ColdFusion must transmit only encrypted representations of passwords for Flex Integration.
V-62457 Medium The ColdFusion Administrator Console must transmit only encrypted representations of passwords.
V-62459 Medium ColdFusion must transmit only encrypted representations of passwords to the mail server.
V-62511 Medium ColdFusion must encrypt cookies.
V-62513 Medium ColdFusion must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
V-62515 Medium ColdFusion must encrypt patch retrieval.
V-62517 Medium ColdFusion must protect Session Cookies from being read by scripts.
V-62525 Medium The ColdFusion site-wide error handler must be valid.
V-62357 Medium ColdFusion must set a maximum session time-out value.
V-62355 Medium ColdFusion must automatically terminate a user session after user inactivity.
V-62521 Medium ColdFusion must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
V-62353 Medium ColdFusion must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
V-62523 Medium The ColdFusion missing template handler must be valid.
V-62359 Medium ColdFusion must control remote access to the Administrator Console.
V-62449 Medium ColdFusion must have example gateway instances removed.
V-62447 Medium ColdFusion must have example collections removed.
V-62443 Medium ColdFusion must have the Default ScriptSrc Directory set to a non-default value.
V-62441 Medium ColdFusion must have Sandboxes defined for application execution.
V-62537 Medium ColdFusion must have ColdFusion component (CFC) type checking enabled.
V-62535 Medium The ColdFusion error messages must be restricted to only authorized users.
V-62539 Medium ColdFusion must enable Global Script Protection.
V-62439 Medium ColdFusion must have Sandbox Security enabled.
V-62433 Medium ColdFusion must execute as a non-privileged user.
V-62431 Medium The ColdFusion Root Administrator account must have a unique username.
V-62437 Medium ColdFusion must protect newly created objects.
V-62435 Medium ColdFusion accounts with access to the Administrator Console must be approved.
V-62379 Medium The ColdFusion log information must be protected from any type of unauthorized modification by having file permissions set properly.
V-62371 Medium ColdFusion must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which logable events are to be logged.
V-62429 Medium ColdFusion must disable auto reloading of configuration files on file changes.
V-62541 Medium ColdFusion must remove software components after updated versions have been installed.
V-62421 Medium The ColdFusion built-in TomCat Web Server must be disabled.
V-62425 Medium ColdFusion must protect internal cookies from being updated by hosted applications.
V-62427 Medium ColdFusion must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.
V-62075 Low ColdFusion must limit concurrent sessions to the Administrator Console.
V-62505 Low ColdFusion must have a custom request queue time-out page.
V-62373 Low ColdFusion must log scheduled tasks.
V-62545 Low ColdFusion must have notifications enabled when a server update is available.
V-62543 Low ColdFusion must be set to automatically check for updates.