UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

ColdFusion must limit applications from changing shared Java components.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62399 CF11-03-000091 SV-76889r1_rule Medium
Description
Application servers have the ability to specify that the hosted applications utilize shared libraries. Within ColdFusion, these shared libraries are often Java components along with server settings. By allowing programmers or attackers to write CFML code that can directly access these components and settings, the programmer can change how shared Java components work and create new Java components. By disabling this option, the programmer is unable to read or modify administration and configuration information for the server and shared Java components.
STIG Date
Adobe ColdFusion 11 Security Technical Implementation Guide 2016-09-21

Details

Check Text ( C-63203r1_chk )
Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu.

If "Disable access to internal ColdFusion Java components" is unchecked, this is a finding.
Fix Text (F-68319r1_fix)
Navigate to the "Settings" page under the "Server Settings" menu. Check "Disable access to internal ColdFusion Java components" and select the "Submit Changes" button.