Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-62425 | CF11-03-000106 | SV-76915r1_rule | Medium |
Description |
---|
Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Allowing developers to override global session cookie security settings is used to allow a hosted application to change the security posture of the application server. This feature may be necessary as applications are built and tested, but once in a production environment, this functionality is not necessary for daily operations and must be disabled. |
STIG | Date |
---|---|
Adobe ColdFusion 11 Security Technical Implementation Guide | 2016-09-21 |
Check Text ( C-63229r1_chk ) |
---|
Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu. If "Disable updating ColdFusion internal cookies using ColdFusion tags/functions." is unchecked, this is a finding. |
Fix Text (F-68345r1_fix) |
---|
Navigate to the "Memory Variables" page under the "Server Settings" menu. Check "Disable updating ColdFusion internal cookies using ColdFusion tags/functions." and select the "Submit Changes" button. |