| V-62413 | High | ColdFusion must have Remote Development Services (RDS) disabled. | Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD... |
| V-62487 | High | ColdFusion must limit the SQL commands available. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce... |
| V-62407 | High | ColdFusion must disable Flash Remoting support. | Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD... |
| V-62365 | High | ColdFusion must require a username and password for access by each authorized user access. | Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message,... |
| V-62519 | High | ColdFusion must prevent JavaScript Object Notation (JSON) hijacking of data. | Information can be either unintentionally or maliciously disclosed if not protected during preparation for transmission. An easy way to protect data during preparation for transmission is to use... |
| V-62527 | High | ColdFusion must have Robust Exception Information disabled. | Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and... |
| V-62351 | High | ColdFusion must implement cryptography mechanisms to protect the integrity of the remote access session. | Protecting the data by not allowing unsecure non-FIPS 140-2 modules to be used and forcing FIPS 140-2 approved encryption modules limits the attack vector for an attacker. Several attacks, such... |
| V-62529 | High | ColdFusion must have AJAX Debug Log Window disabled. | Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and... |
| V-62445 | High | ColdFusion must contain the most recent update. | ColdFusion releases updates to ColdFusion 11 to add support, fix bugs and close security issues. Without the current update installed, the product may be unstable or become a target for an... |
| V-62533 | High | ColdFusion must have Allow Line Debugging disabled. | Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and... |
| V-62531 | High | ColdFusion must have Request Debugging Output disabled. | Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and... |
| V-62423 | High | ColdFusion must have Remote Inspection disabled. | Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD... |
| V-62499 | Medium | ColdFusion must set a timeout for requests. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce... |
| V-62495 | Medium | ColdFusion must limit the maximum number of simultaneous Report threads. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce... |
| V-62497 | Medium | ColdFusion must limit the maximum number of threads available for CFTHREAD. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce... |
| V-62491 | Medium | ColdFusion must limit the maximum number of Web Service requests. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce... |
| V-62493 | Medium | ColdFusion must limit the maximum number of CFC function requests. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce... |
| V-62415 | Medium | ColdFusion must have Remote Adobe LiveCycle Data Management access disabled. | Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD... |
| V-62417 | Medium | ColdFusion must have the WebSocket Service disabled. | Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD... |
| V-62411 | Medium | ColdFusion must have Event Gateway Services disabled. | Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD... |
| V-62419 | Medium | ColdFusion must have example data sources removed. | ColdFusion is installed with sample data services, gateway services, and collections. These can be used in a development environment to learn how to use and develop applications and services, but... |
| V-62385 | Medium | ColdFusion must send log records to the operating system logging facility. | Protection of log data includes assuring log data is not accidentally lost or deleted. By sending some of the log messages to the operating system logging facilities, these log messages become... |
| V-62387 | Medium | ColdFusion must allocate log record storage capacity in accordance with organization-defined log record storage requirements. | The proper management of log records not only dictates proper archiving processes and procedures be established, it also requires allocating enough storage space to maintain the logs online for a... |
| V-62381 | Medium | The ColdFusion log information must be protected from any type of unauthorized deletion through the Administrator Console. | When a system is attacked, one of the tasks of the attacker is to cover his tracks by deleting log files or log data. This enables the attacker to go unnoticed and to make later forensic analysis... |
| V-62383 | Medium | The ColdFusion log information must be protected from any type of unauthorized deletion by having file permissions set properly. | When a system is attacked, one of the tasks of the attacker is to cover his tracks by deleting log files or log data. This enables the attacker to go unnoticed and to make later forensic analysis... |
| V-62389 | Medium | ColdFusion log records must be off-loaded onto a different system or media from the system being logged. | Information system logging capability is critical for accurate forensic analysis. Off-loading is a common process in information systems with limited log storage capacity.
Centralized management... |
| V-62369 | Medium | When ColdFusion is configured in a clustered configuration, ColdFusion must be configured to write log records from the clustered system components into a system-wide log trail that can be correlated. | Log generation and log records can be generated from various components within the application server. The list of logged events is the set of events for which logs are to be generated. This set... |
| V-62489 | Medium | ColdFusion must set a query timeout for Data Sources. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce... |
| V-62483 | Medium | ColdFusion must not store user information in the server registry. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce... |
| V-62481 | Medium | ColdFusion, when part of a mission critical system, must be in a high-availability (HA) cluster. | A mission critical system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A mission critical system must... |
| V-62485 | Medium | ColdFusion must limit the maximum number of Flash Remoting requests. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce... |
| V-62403 | Medium | ColdFusion must protect software libraries from being changed by OS users. | Controlling the overall security posture of the server encompasses controlling the patches and versions of the software running within the production environment. Patches are installed to fix... |
| V-62401 | Medium | ColdFusion must limit privileges, within the Administrator Console, to change the software resident within software libraries. | Controlling the overall security posture of the server encompasses controlling the patches and versions of the software running within the production environment. Patches are installed to fix... |
| V-62405 | Medium | ColdFusion must only allow approved file extensions. | Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD... |
| V-62409 | Medium | ColdFusion must disable the In-Memory File System. | Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD... |
| V-62393 | Medium | The ColdFusion log information must be protected from any type of unauthorized read access by having file ownership set properly. | Allowing any user to view log messages provides information to individuals that may be used to compromise the system. This information may provide system design, user access/IP addresses,... |
| V-62391 | Medium | ColdFusion logs must, at a minimum, be transferred simultaneously for interconnected systems and transferred weekly for standalone systems. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Protecting log data is important during a forensic investigation to ensure investigators can... |
| V-62397 | Medium | The ColdFusion log information must be protected from any type of unauthorized deletion by having file ownership set properly. | When a system is attacked, one of the tasks of the attacker is to cover his tracks by deleting log files or log data. This enables the attacker to go unnoticed and to make later forensic analysis... |
| V-62395 | Medium | The ColdFusion log information must be protected from any type of unauthorized modification by having file ownership set properly. | Allowing any user to modify log messages provides a method for an attacker to hide his attack and go unnoticed. Log modification also makes forensic investigation difficult, if not impossible, as... |
| V-62399 | Medium | ColdFusion must limit applications from changing shared Java components. | Application servers have the ability to specify that the hosted applications utilize shared libraries. Within ColdFusion, these shared libraries are often Java components along with server... |
| V-62477 | Medium | ColdFusion must provide a clustering capability. | Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When... |
| V-62475 | Medium | ColdFusion must set session cookies as browser session cookies. | Generating a unique session identifier for each session inhibits an attacker from using an already authenticated session identifier that has not been invalidated. If an attacker is able to use an... |
| V-62473 | Medium | ColdFusion must use J2EE session variables. | Unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of session... |
| V-62471 | Medium | ColdFusion must enable UUID for session identifier generation. | Unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of session... |
| V-62367 | Medium | ColdFusion must require each user to authenticate with a unique account. | Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message,... |
| V-62363 | Medium | ColdFusion must control user access to Exposed Services. | ColdFusion exposes many existing services as web services. These services, such as cfpdf, cfmail and cfpop, can be accessed by users and applications written in other languages and technologies... |
| V-62361 | Medium | ColdFusion must control remote access to Exposed Services. | ColdFusion exposes many existing services as web services. These services, such as cfpdf, cfmail, and cfpop, can be accessed by users and applications written in other languages and technologies... |
| V-62465 | Medium | The ColdFusion Administrator Console must be hosted in a management sandbox. | ColdFusion consists of the Administrator Console and hosted applications. By separating the Administrator Console from hosted applications, the user must authenticate as a privileged user to the... |
| V-62509 | Medium | ColdFusion must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version. | Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during... |
| V-62467 | Medium | ColdFusion must disable creation of unnamed applications. | ColdFusion allows applications to be named or unnamed. The application name allows the developer to scope the application or define a logical application and allows for the separation of... |
| V-62461 | Medium | Only authenticated system administrators or the designated PKI Sponsor for ColdFusion must have access to ColdFusions private key. | The cornerstone of PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation... |
| V-62463 | Medium | The ColdFusion Administrator Console must be hosted on a management network. | ColdFusion consists of the Administrator Console and hosted applications. By separating the Administrator Console from hosted applications, the user must authenticate as a privileged user to the... |
| V-62503 | Medium | ColdFusion must limit the time-out for requests waiting in the queue. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce... |
| V-62375 | Medium | The ColdFusion log information must be protected from any type of unauthorized read access through the Administrator Console. | Allowing any user to view log messages provides information to individuals that may be used to compromise the system. This information may provide system design, user access/IP addresses,... |
| V-62501 | Medium | ColdFusion must set a timeout for logins. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce... |
| V-62377 | Medium | The ColdFusion log information must be protected from any type of unauthorized read access by having file permissions set properly. | Allowing any user to view log messages provides information to individuals that may be used to compromise the system. This information may provide system design, user access/IP addresses,... |
| V-62507 | Medium | ColdFusion must limit the maximum number of POST requests parameters. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce... |
| V-62469 | Medium | ColdFusion must not allow application variables to be added to Servlet Context. | ColdFusion allows applications to add application variables to the Servlet Context. This allows an application to add data or change configuration data for all hosted applications. By sharing... |
| V-62349 | Medium | ColdFusion must use cryptography mechanisms to protect the integrity of data sent to the PDF Service. | Protecting data being sent to the PDF Service for PDF document creation protects the data from being read or modified before the document is created and returned to the requesting application. ... |
| V-62479 | Medium | ColdFusion must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. | Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient... |
| V-62451 | Medium | ColdFusion must authenticate users individually. | To assure individual accountability and prevent unauthorized access, application server users must be individually identified and authenticated.
A group authenticator is a generic account used by... |
| V-62453 | Medium | ColdFusion must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data. | Application servers may provide a web services capability that could be leveraged to allow remote access to sensitive application data.
Many web services utilize SOAP, which in turn utilizes XML... |
| V-62455 | Medium | ColdFusion must transmit only encrypted representations of passwords for Flex Integration. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e.,... |
| V-62457 | Medium | The ColdFusion Administrator Console must transmit only encrypted representations of passwords. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e.,... |
| V-62459 | Medium | ColdFusion must transmit only encrypted representations of passwords to the mail server. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e.,... |
| V-62511 | Medium | ColdFusion must encrypt cookies. | Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during... |
| V-62513 | Medium | ColdFusion must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission. | Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during... |
| V-62515 | Medium | ColdFusion must encrypt patch retrieval. | Checking for patches and downloading those patches for installation must be done through an encrypted connection to protect the patch from modification during transmission and to avoid spoofed updates. |
| V-62517 | Medium | ColdFusion must protect Session Cookies from being read by scripts. | A cookie can be read by client-side scripts easily if cookie properties are not set properly during preparation for transmission. By allowing cookies to be read by the client-side scripts,... |
| V-62525 | Medium | The ColdFusion site-wide error handler must be valid. | The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in... |
| V-62357 | Medium | ColdFusion must set a maximum session time-out value. | An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process.
To thwart the vulnerability of open and unused user sessions, the application... |
| V-62355 | Medium | ColdFusion must automatically terminate a user session after user inactivity. | An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process.
To thwart the vulnerability of open and unused user sessions, the application... |
| V-62521 | Medium | ColdFusion must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates. | Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing... |
| V-62353 | Medium | ColdFusion must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | Controlling what a user can see or change is important within the ColdFusion application server. Allowing non-privileged users to change administrative type data can cause errors within the... |
| V-62523 | Medium | The ColdFusion missing template handler must be valid. | The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in... |
| V-62359 | Medium | ColdFusion must control remote access to the Administrator Console. | Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy... |
| V-62449 | Medium | ColdFusion must have example gateway instances removed. | ColdFusion is installed with sample data services, gateway services, and collections. These can be used in a development environment to learn how to use and develop applications and services, but... |
| V-62447 | Medium | ColdFusion must have example collections removed. | ColdFusion is installed with sample data services, gateway services, and collections. These can be used in a development environment to learn how to use and develop applications and services, but... |
| V-62443 | Medium | ColdFusion must have the Default ScriptSrc Directory set to a non-default value. | The scripts directory contains common javascript code that may be used by the hosted applications. This code is offered to help the developer with common data controls and functions aiding in the... |
| V-62441 | Medium | ColdFusion must have Sandboxes defined for application execution. | Application isolation allows multiple applications to run on the same hosting operating system, web server and application server. Typical reasons to isolate applications are to separate... |
| V-62537 | Medium | ColdFusion must have ColdFusion component (CFC) type checking enabled. | Invalid user input occurs when a user inserts data or characters into an application's data entry field and the application is unprepared to process that data. This results in unanticipated... |
| V-62535 | Medium | The ColdFusion error messages must be restricted to only authorized users. | If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be... |
| V-62539 | Medium | ColdFusion must enable Global Script Protection. | Invalid user input occurs when a user inserts data or characters into an application's data entry field and the application is unprepared to process that data. This results in unanticipated... |
| V-62439 | Medium | ColdFusion must have Sandbox Security enabled. | Application isolation allows multiple applications to run on the same hosting operating system, web server and application server. Typical reasons to isolate applications are to separate... |
| V-62433 | Medium | ColdFusion must execute as a non-privileged user. | Privileged user accounts are accounts that have access to all the system resources. These accounts are reserved for administrative users and applications that have a need for such unfettered... |
| V-62431 | Medium | The ColdFusion Root Administrator account must have a unique username. | The ColdFusion Root Administrator account is an administrative account setup during the installation process. This account has privileges to view, update and delete data within the entire... |
| V-62437 | Medium | ColdFusion must protect newly created objects. | During operation, ColdFusion may create objects such as files to store parameters or log data, or pipes to share data between objects. When the objects are created, it is important that the newly... |
| V-62435 | Medium | ColdFusion accounts with access to the Administrator Console must be approved. | ColdFusion offers an Administrator Console that is used to setup ColdFusion. The console allows the administrator to setup user accounts, user privileges, logging, data sources, etc. These... |
| V-62379 | Medium | The ColdFusion log information must be protected from any type of unauthorized modification by having file permissions set properly. | Allowing any user to modify log messages provides a method for an attacker to hide his attack and go unnoticed. Log modification also makes forensic investigation difficult, if not impossible, as... |
| V-62371 | Medium | ColdFusion must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which logable events are to be logged. | ColdFusion utilizes role-based access controls in order to specify those individuals who are able to configure logable events. Allowing users other than the ISSM and appointed individuals access... |
| V-62429 | Medium | ColdFusion must disable auto reloading of configuration files on file changes. | When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software and/or application server configuration can potentially have significant... |
| V-62541 | Medium | ColdFusion must remove software components after updated versions have been installed. | Installation of patches and updates is performed when there are errors or security vulnerabilities in the current release of the software. When previous versions of software components are not... |
| V-62421 | Medium | The ColdFusion built-in TomCat Web Server must be disabled. | Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD... |
| V-62425 | Medium | ColdFusion must protect internal cookies from being updated by hosted applications. | Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD... |
| V-62427 | Medium | ColdFusion must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments. | Some networking protocols may not meet organizational security requirements to protect data and components.
ColdFusion may host a number of various features, such as the Administrator Console,... |
| V-62075 | Low | ColdFusion must limit concurrent sessions to the Administrator Console. | The ColdFusion Administrator Console is used to manage the ColdFusion application server. The console allows a user to configure settings used by hosted applications, maintain connections to... |
| V-62505 | Low | ColdFusion must have a custom request queue time-out page. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce... |
| V-62373 | Low | ColdFusion must log scheduled tasks. | Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining... |
| V-62545 | Low | ColdFusion must have notifications enabled when a server update is available. | Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. To configure the... |
| V-62543 | Low | ColdFusion must be set to automatically check for updates. | Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. To configure the... |
