The ColdFusion built-in TomCat Web Server must be disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-62421	CF11-03-000104	SV-76911r1_rule		Medium

Description
Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. The built-in TomCat Web Server is used to host the Administrator Console and is used for initial setup. While the built-in server can be used to continually host the Administrator Console, this is not the best practice since the server is not guaranteed to be patched and upgraded, implementing TLS is not well documented, allowing for poor implementations, and commercial web servers offer better logging. To enable the Administrator Console to still operate and disable the built-in TomCat Web Server, the Administrator Console application must be moved to the web server (i.e., IIS, Apache, IBM HTTP Server, etc.) hosting the ColdFusion applications. Moving the Administrator Console to Apache and IIS is well documented in the Adobe ColdFusion Lockdown Guide.

Description

Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. The built-in TomCat Web Server is used to host the Administrator Console and is used for initial setup. While the built-in server can be used to continually host the Administrator Console, this is not the best practice since the server is not guaranteed to be patched and upgraded, implementing TLS is not well documented, allowing for poor implementations, and commercial web servers offer better logging. To enable the Administrator Console to still operate and disable the built-in TomCat Web Server, the Administrator Console application must be moved to the web server (i.e., IIS, Apache, IBM HTTP Server, etc.) hosting the ColdFusion applications. Moving the Administrator Console to Apache and IIS is well documented in the Adobe ColdFusion Lockdown Guide.

STIG	Date
Adobe ColdFusion 11 Security Technical Implementation Guide	2017-12-31

Details

Check Text ( C-63225r1_chk )
Locate the server.xml file for ColdFusion. This file can usually be located under the ColdFusion installation directory under the runtime/conf directory for Linux and runtime\conf for Windows. Within the server.xml file, locate the xml line: port="8500" protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000" redirectPort="8445" /> Note: port="8500" is the port the Administrator Console was hosted on. The port is defined during the install and can be changed from the default of 8500, so this parameter may be different if an alternate port was assigned. If the line exists and is not commented out (XML comments start with , e.g., ), this is a finding.

Check Text ( C-63225r1_chk )

Locate the server.xml file for ColdFusion. This file can usually be located under the ColdFusion installation directory under the runtime/conf directory for Linux and runtime\conf for Windows. Within the server.xml file, locate the xml line:

port="8500" protocol="org.apache.coyote.http11.Http11Protocol"
connectionTimeout="20000"
redirectPort="8445" />

Note: port="8500" is the port the Administrator Console was hosted on. The port is defined during the install and can be changed from the default of 8500, so this parameter may be different if an alternate port was assigned.

If the line exists and is not commented out (XML comments start with , e.g., ), this is a finding.

Fix Text (F-68341r2_fix)
Locate the server.xml file for ColdFusion. This file can usually be located under the ColdFusion installation directory under the runtime/conf directory for Linux and runtime\conf for Windows. After making a backup of this file, edit the file and locate the following xml line: port="8500" protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000" redirectPort="8445" /> Note: port="8500" is the port the Administrator Console was hosted on. The port is setup at install and can be changed, so this parameter may be different in this line. This line can be deleted or using XML syntax can be commented out of the configuration. XML comment syntax starts with , e.g., .

Fix Text (F-68341r2_fix)

Locate the server.xml file for ColdFusion. This file can usually be located under the ColdFusion installation directory under the runtime/conf directory for Linux and runtime\conf for Windows. After making a backup of this file, edit the file and locate the following xml line:

port="8500" protocol="org.apache.coyote.http11.Http11Protocol"
connectionTimeout="20000"
redirectPort="8445" />

Note: port="8500" is the port the Administrator Console was hosted on. The port is setup at install and can be changed, so this parameter may be different in this line.

This line can be deleted or using XML syntax can be commented out of the configuration. XML comment syntax starts with , e.g., .