ColdFusion must protect internal cookies from being updated by hosted applications.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-62425	CF11-03-000106	SV-76915r1_rule		Medium

Description
Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Allowing developers to override global session cookie security settings is used to allow a hosted application to change the security posture of the application server. This feature may be necessary as applications are built and tested, but once in a production environment, this functionality is not necessary for daily operations and must be disabled.

Description

Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Allowing developers to override global session cookie security settings is used to allow a hosted application to change the security posture of the application server. This feature may be necessary as applications are built and tested, but once in a production environment, this functionality is not necessary for daily operations and must be disabled.

STIG	Date
Adobe ColdFusion 11 Security Technical Implementation Guide	2017-06-15

Details

Check Text ( C-63229r1_chk )
Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu. If "Disable updating ColdFusion internal cookies using ColdFusion tags/functions." is unchecked, this is a finding.

Fix Text (F-68345r1_fix)
Navigate to the "Memory Variables" page under the "Server Settings" menu. Check "Disable updating ColdFusion internal cookies using ColdFusion tags/functions." and select the "Submit Changes" button.