UCF STIG Viewer Logo

ColdFusion must encrypt patch retrieval.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62515 CF11-05-000198 SV-77005r1_rule Medium
Description
Checking for patches and downloading those patches for installation must be done through an encrypted connection to protect the patch from modification during transmission and to avoid spoofed updates.
STIG Date
Adobe ColdFusion 11 Security Technical Implementation Guide 2017-12-31

Details

Check Text ( C-63319r1_chk )
If the Administrator Console is used to perform patch retrieval, navigate to the "Updates" page under the "Server Update" menu within the console and review the setting "Site URL" within the "Settings" tab.

If the URL is not prefixed by https://, this is a finding.

If a manual process is used to retrieve patches, verify that a documented process is in place that includes using an encrypted method to download the patches, e.g., VPN tunneling, Secure Copy (SCP), etc.

If there is not a documented process or the process does not include an encrypted method to download patches, this is a finding.
Fix Text (F-68435r1_fix)
If the Administrator Console is used for patch retrieval, navigate to the "Updates" page under the "Server Update" menu within the console. Locate the "Site URL" setting on the "Settings" tab. Update the URL used for updates to be prefixed with https:// so that the communication is encrypted and select the "Submit Changes" button.

If a manual process is used to retrieve patches, document the process to retrieve the patches that uses an encrypted method to download the patches, e.g., VPN tunneling, Secure Copy (SCP), etc.