UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

ColdFusion must be set to automatically check for updates.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62543 CF11-06-000226 SV-77033r1_rule Low
Description
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. To configure the software to discover that a new patch is available is important since administrators may be responsible for multiple servers running different applications and services, making it difficult for the administrator to constantly check for updates. Enabling the automatic check informs the administrator, allows him to investigate the patch and what is needed to apply the patch and schedule any outages that might be needed, thereby permitting the patch to be installed quickly and efficiently. Having "Automatically Check for Updates" checked causes ColdFusion to look for updates on every logon.
STIG Date
Adobe ColdFusion 11 Security Technical Implementation Guide 2017-12-31

Details

Check Text ( C-63347r1_chk )
Determine if the ColdFusion server has access to either the Adobe patch repository or an internally maintained patch repository. This may be determined by interviewing the administrator or by reviewing ColdFusion baseline documentation.

If the ColdFusion server has access to a patch repository, the server must check for updates. To verify that the server is checking for updates, within the Administrator Console, navigate to the "Updates" page under the "Server Updates" menu. Select the "Settings" tab and verify that the "Automatically Check for Updates" is checked.

If the ColdFusion server has access to either the Adobe patch repository or an internally maintained patch repository and "Automatically Check for Updates" is not checked, this is a finding.

If the ColdFusion server does not have access to Adobe or an internally maintained patch repository, then a manual process must be documented to check for updates. The documented process must include the location and how often to check for updates.

If the process is not documented or the documented process does not include location and frequency, this is a finding.
Fix Text (F-68463r1_fix)
If the ColdFusion server has access to a patch repository, navigate to the "Updates" page under the "Server Updates" menu. Select the "Settings" tab and check the "Automatically Check for Updates" setting and select the "Submit Changes" button.

If the ColdFusion server does not have access to a patch repository, document the process to check for updates. The documented process must include location and how often.