UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

ColdFusion must remove software components after updated versions have been installed.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62541 CF11-06-000225 SV-77031r1_rule Medium
Description
Installation of patches and updates is performed when there are errors or security vulnerabilities in the current release of the software. When previous versions of software components are not removed from the application server after updates have been installed, an attacker may use the older components to exploit the system. ColdFusion creates a backup directory for an update when installed. This backup directory allows the SA to uninstall the update if an error occurs or incompatibility is found with the hosted applications. Once the update is tested and found to work correctly, the backup directory must be removed so that the update cannot be uninstalled.
STIG Date
Adobe ColdFusion 11 Security Technical Implementation Guide 2017-12-31

Details

Check Text ( C-63345r1_chk )
Within the Administrator Console, navigate to the "Updates" page under the "Server Update" menu. Within the "Installed Updates" tab, locate the backup directory location for each update that is installed. On the server running the ColdFusion server, verify that the backup directories do not exist for any of the updates.

If all updates have been tested/verified and any of the backup directories exist, this is a finding.

Note: Do not remove the backup directory for an update until the update has been tested and verified that the ColdFusion server is operating correctly.
Fix Text (F-68461r1_fix)
Navigate to the "Updates" page under the "Server Update" menu within the Administrator Console. Within the "Installed Updates" tab, locate the backup directory location for any updates installed. On the server running the ColdFusion server, remove all backup directories for any updates installed.

Note: Do not remove the backup directory for an update until the update has been tested and verified that the ColdFusion server is operating correctly.