| V-279031 | | The ColdFusion built-in Tomcat Web Server must use FIPS-validated ciphers on secured connectors. | Using only FIPS 140-2/140-3 or higher approved cryptographic modules for encryption helps ensure the confidentiality and integrity of transmitted data... |
| V-279032 | | ColdFusion must require enforced authentication. | ColdFusion must require each authorized user to authenticate and not allow multiple users. Without enforced authentication, there is no reliable metho... |
| V-279036 | | The ColdFusion log information must be protected from any type of unauthorized read access by having file ownership set properly. | ColdFusion log files may contain sensitive information, including system events, error messages, user activity, and potentially authentication or conf... |
| V-279038 | | Before installing or upgrading ColdFusion, the integrity of the installation package must be manually verified. | The hash verification process must be performed using an approved hashing algorithm to ensure the package has not been altered, tampered with, or corr... |
| V-279039 | | Critical ColdFusion directories must have secure file system permissions and ownership. | Controlling the overall security posture of the server encompasses controlling the patches and versions of the software running within the production ... |
| V-279040 | | ColdFusion must configure WebSocket Service. | Application servers provide a wide range of features and services, many of which may not be necessary or secure for a production DOD environment. One ... |
| V-279041 | | ColdFusion must have Event Gateway Services disabled when not in use. | Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or... |
| V-279042 | | ColdFusion must have Remote Development Services (RDS) disabled. | Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or... |
| V-279044 | | ColdFusion must disable all remote and client-side debugging features, including Remote Inspection, Robust Exception Information, AJAX Debug Log Window, and Line Debugging. | Debugging and inspection features in application servers, such as ColdFusion's Remote Inspection, Robust Exception Information, AJAX Debug Log Window,... |
| V-279045 | | ColdFusion must have any unused mappings removed. | ColdFusion mappings define virtual paths to physical directories that can be accessed by ColdFusion applications. If unused or unnecessary mappings ar... |
| V-279050 | | ColdFusion must be configured with secure and approved server settings to enforce application hardening, input validation, error handling, and protection against common web vulnerabilities. | ColdFusion Server Settings must be securely configured to enforce application hardening, prevent misuse of functionality, and protect against common w... |
| V-279053 | | ColdFusion must disable the In-Memory File System. | Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or... |
| V-279054 | | ColdFusion must restrict unauthorized remote access to the ColdFusion Administrator Console and ensure all ports used are approved and properly secured. | Some networking protocols may not meet organizational security requirements to protect data and components.
ColdFusion may host a number of various f... |
| V-279056 | | Web services using Simple Object Access Protocol (SOAP) to access sensitive data must be secured with WS-Security. | Application servers may provide a web service capability that could be leveraged to allow remote access to sensitive application data.
Many web servi... |
| V-279057 | | ColdFusion must store only encrypted representations of passwords. | Applications must enforce password encryption when storing passwords. Passwords need to be protected at all times and encryption is the standard metho... |
| V-279058 | | ColdFusion must transmit only encrypted representations of passwords to NoSQL data sources. | When data is transmitted between ColdFusion and the datasources without encryption, it is vulnerable to interception and unauthorized access. This can... |
| V-279059 | | ColdFusion must only transmit encrypted representations of passwords to the Solr Server. | Solr is an open-source search platform used for indexing and searching data. When data is transmitted between ColdFusion and the Solr Server without e... |
| V-279060 | | ColdFusion must transmit only encrypted representations of passwords to the mail server. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not ... |
| V-279061 | | ColdFusion must only transmit encrypted representations of passwords to the caching server. | Redis is an in-memory data structure store used as a database, cache, and message broker. When data is transmitted between ColdFusion and the Redis ca... |
| V-279062 | | JVM Arguments must be configured for encryption. | Ensuring that ColdFusion transmits only encrypted representations of passwords to the proxy server is critical for maintaining the security and integr... |
| V-279063 | | ColdFusion must be configured to use only DOD-approved keystores and truststores containing certificates issued by a DOD Public Key Infrastructure (PKI) Certificate Authority (CA), and all keystore and truststore files must be protected by file system permissions that prevent unauthorized access or modification. | Keystores and truststores are critical components in securing communication between applications and services. If ColdFusion is configured to use cert... |
| V-279064 | | The ColdFusion Administrator Console must be hosted on a management network. | ColdFusion is composed of two primary components: the Administrator Console and the hosted applications. Separating the Administrator Console from the... |
| V-279065 | | ColdFusion must have sandboxes enabled and defined. | ColdFusion consists of two distinct components: the Administrator Console and the hosted applications. Separating these components is essential for en... |
| V-279066 | | ColdFusion must separate the hosted application from the web server. | Separating hosted ColdFusion applications from the web server is critical for enforcing strong access control and minimizing the risk of unauthorized ... |
| V-279067 | | ColdFusion must be configured to mutually authenticate connecting proxies and load balancers. | Mutual authentication between connecting proxies, application servers, or gateways is essential for ensuring secure communication and preventing unaut... |
| V-279069 | | ColdFusion systems must provide clustering. | Clustering enables ColdFusion to distribute workloads across multiple application server instances, providing load balancing, session replication, and... |
| V-279070 | | ColdFusion must be configured to support integration with a third-party Security Information and Event Management (SIEM) to support notifications. | ColdFusion must be capable of integrating with a third-party SIEM solution to provide centralized log collection, event correlation, and real-time ale... |
| V-279071 | | ColdFusion must have the Tomcat DefaultServlet debug parameter disabled. | Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of ... |
| V-279072 | | The ColdFusion error messages must be restricted to only authorized users. | If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure... |
| V-279073 | | ColdFusion must set a maximum session timeout value. | An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process.
To thwart the vulnerability of op... |
| V-279074 | | ColdFusion must control remote access to the Administrator Console. | Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterpr... |
| V-279077 | | ColdFusion must record time stamps for log records that can be mapped system time. | Using a consistent time standard such as UTC or GMT for the internal clock of ColdFusion is crucial for maintaining accurate and reliable system logs.... |
| V-279078 | | For PKI-based authentication, ColdFusion must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. | Ensuring that for PKI-based authentication, ColdFusion implements a local cache of revocation data is essential for maintaining the security and integ... |
| V-279079 | | ColdFusion must set Request Tuning configurations. | To reduce the possibility or effect of a denial of service (DoS), ColdFusion must employ defined security safeguards. These safeguards will be determi... |
| V-279080 | | ColdFusion must limit the maximum number of threads available for CFTHREAD. | Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accompl... |
| V-279081 | | ColdFusion must limit the maximum number of Web Service requests. | Unrestricted web service request handling in ColdFusion can lead to resource exhaustion, degraded performance, or denial-of-service (DoS) conditions. ... |
| V-279082 | | ColdFusion must limit the maximum number of ColdFusion Component (CFC) function requests. | CFCs enable modular development by exposing functions that can be called locally or remotely. If the number of allowable CFC function requests is not ... |
| V-279083 | | ColdFusion must configure Data Sources to limit SQL command and configure timeout. | Data sources configured within ColdFusion can be exploited if not properly restricted. Allowing unrestricted SQL commands increases the risk of unauth... |
| V-279084 | | ColdFusion must not store user information in the server registry. | Client variables in ColdFusion are used to persist user-specific information between requests and sessions. If the default storage mechanism for these... |
| V-279085 | | ColdFusion must limit the in-memory size of the virtual file system. | Limiting the in-memory size of the virtual file system is essential to prevent resource exhaustion and potential denial-of-service (DoS) attacks. With... |
| V-279086 | | ColdFusion must limit the default maximum thread count for parallel functions. | Setting a default maximum thread count for parallel functions is essential to prevent resource exhaustion and potential denial-of-service (DoS) attack... |
| V-279087 | | ColdFusion must limit the maximum post data size. | Limiting the maximum post data size is essential to prevent resource exhaustion and potential denial-of-service (DoS) attacks. Without a limit, excess... |
| V-279088 | | ColdFusion must limit the request throttle memory. | Limiting the request throttle memory is essential to prevent resource exhaustion and potential denial-of-service (DoS) attacks. Without a limit, an ex... |
| V-279089 | | ColdFusion must set an organization defined maximum number of cached templates. | Setting an appropriate maximum number of cached templates is crucial to balance server performance and resource usage. If the limit is set too low, it... |
| V-279090 | | ColdFusion must set an organization defined maximum JVM heap size. | Setting an appropriate maximum JVM heap size is crucial to balance server performance and resource usage. If the heap size is set too low, it can lead... |
| V-279091 | | ColdFusion must set a nonzero timeout for web services. | Setting a nonzero timeout for web services is crucial to prevent indefinite waiting periods that can lead to resource exhaustion and potential denial-... |
| V-279096 | | ColdFusion must encrypt patch retrieval. | Checking for patches and downloading those patches for installation must be done through an encrypted connection to protect the patch from modificatio... |
| V-279097 | | ColdFusion must ensure that ColdFusion Package Manager (cfpm) packages are transmitted using encrypted protocols. | The cfpm is used to manage various packages and modules that extend the functionality of the ColdFusion server. If these packages are downloaded or tr... |
| V-279098 | | The ColdFusion administrator must be using HTTPS to maintain the confidentiality and integrity of information during reception. | Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protoc... |
| V-279099 | | ColdFusion Backup Directory must be deleted. | Installation of patches and updates is performed when there are errors or security vulnerabilities in the current release of the software. When previo... |
| V-279100 | | ColdFusion must be set to automatically check for updates. | Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovere... |
| V-279101 | | ColdFusion must have notifications enabled when a server update is available. | Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovere... |
| V-279102 | | Installed versions of ColdFusion must be supported by the vendor. | Running unsupported versions of ColdFusion introduces significant risk to the security and stability of the application environment. Unsupported softw... |
| V-279103 | | ColdFusion must execute as a nonprivileged user. | Privileged user accounts are accounts that have access to all the system resources. These accounts are reserved for administrative users and applicati... |
| V-279104 | | The ColdFusion Root Administrator account must have a unique username. | The ColdFusion Root Administrator account is an administrative account setup during the installation process. This account has privileges to view, upd... |
| V-279105 | | ColdFusion must protect newly created objects. | During operation, ColdFusion may create objects such as files to store parameters or log data, or pipes to share data between objects. When the object... |
| V-279106 | | ColdFusion must be configured to set the cookie settings. | Cookies are often used to maintain user sessions in web applications. However, if cookies are not properly managed, they can pose a security risk. Per... |
| V-279107 | | ColdFusion must be configured to enable Cross-Origin Resource Sharing (CORS) to allow mobile applications to access resources from different origins securely. | CORS is a security feature implemented by web browsers to prevent web pages from making requests to a different domain than the one that served the we... |
| V-279108 | | ColdFusion must be configured to set the HTTPOnly attribute on session cookies to prevent client-side scripts from accessing the cookies. | Session cookies are critical for maintaining user sessions in web applications. However, if these cookies are accessible to client-side scripts, they ... |
| V-279109 | | ColdFusion must be configured to set the Secure attribute on session cookies to ensure that cookies are only transmitted over secure HTTPS connections. | Session cookies are often transmitted over the network, and if they are not protected, they can be intercepted by attackers. By enabling the Secure at... |
| V-279110 | | ColdFusion must have the Java Runtime Environment (JRE) updated to the latest version. | The JRE is a critical component of the ColdFusion server, providing the necessary runtime environment for executing Java applications. Keeping the JRE... |
| V-279111 | | ColdFusion must have CFIDE blocked in the uriworkermap.properties file. | CFIDE is a directory used by ColdFusion for administrative and development purposes. If access to CFIDE is not properly restricted, it can expose sens... |
| V-279112 | | ColdFusion must include only approved trust anchors in trust stores or certificate stores managed by the organization. | Trust stores and certificate stores in ColdFusion are used to validate the authenticity of digital certificates during secure communications. If these... |
| V-279129 | | ColdFusion must not install the Performance Monitoring Toolset (PMT) Agent Package. | The ColdFusion Performance Monitoring Toolset (PMT) Agent Package provides instrumentation and profiling capabilities that, while useful for performan... |
| V-279030 | | ColdFusion must limit concurrent sessions to the Administrator Console. | The ColdFusion Administrator Console provides critical functionality for managing the ColdFusion application server. Allowing concurrent logins to the... |
| V-279033 | | ColdFusion must not have local users. | To maintain accountability and enforce access control policies, ColdFusion must require each user to authenticate using a unique account. Shared or ge... |
| V-279034 | | ColdFusion must produce log records containing information to establish what type of events occurred. | Without sufficient logging of events, including information about what type of event occurred, it is difficult to detect, understand, or respond to su... |
| V-279035 | | ColdFusion must log scheduled tasks. | Logging scheduled tasks in ColdFusion is essential for detecting unauthorized or unexpected behavior, ensuring task execution integrity, and supportin... |
| V-279037 | | The ColdFusion file ownership and permissions must be restricted to prevent unauthorized access to log tools. | Log management tools within ColdFusion provide access to view, analyze, and sometimes modify application log data. If file ownership and permissions f... |
| V-279043 | | ColdFusion must have example services removed. | ColdFusion is installed with sample data services, gateway services, collections, and mappings. These can be used in a development environment to lear... |
| V-279046 | | ColdFusion must have Central Configuration Server (CCS) disabled. | The ColdFusion CCS is a feature used to synchronize configuration settings across multiple ColdFusion instances. Leaving CCS enabled in a production e... |
| V-279047 | | ColdFusion must have only approved Tomcat connectors enabled. | Tomcat connectors define how ColdFusion communicates with clients and other services, typically over HTTP, HTTPS, or AJP protocols. Enabling unnecessa... |
| V-279048 | | ColdFusion must have Tomcat configured with deployXML disabled. | The deployXML setting in Tomcat controls whether the server will automatically deploy and process context.xml files found within web application direc... |
| V-279049 | | ColdFusion must be configured with autoDeploy disabled. | ColdFusion uses Tomcat for HTTP and AJP connectivity. Tomcat allows auto-deployment of applications while Tomcat is running. This can allow untested o... |
| V-279051 | | ColdFusion must have the sample data directories removed. | ColdFusion is installed with directories that contain sample code, data, and services. These can be used in a development environment to learn how to ... |
| V-279052 | | ColdFusion must have the CFSTAT feature disabled when not in use. | Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or... |
| V-279076 | | ColdFusion must allocate log record storage capacity. | Proper management of log records not only dictates proper archiving processes and procedures be established, but it also requires allocating enough st... |
| V-279055 | | ColdFusion must be using an enterprise solution for authentication. | If ColdFusion is not integrated with an enterprise authentication solution, the system may rely on unmanaged local accounts that are difficult to moni... |
| V-279068 | | ColdFusion must generate a unique session identifier using a FIPS 140-2/140-3 or higher approved random number generator. | ColdFusion uses session IDs to communicate between modules or applications within ColdFusion and between ColdFusion and users. The session ID allows t... |
| V-279075 | | ColdFusion must control remote access to Exposed Services. | ColdFusion exposes many existing services as web services. These services, such as cfpdf, cfmail, and cfpop, can be accessed by users and applications... |
| V-279092 | | JVM Arguments must be configured for Transport Layer Security (TLS) 1.2 or higher. | Preventing the disclosure of transmitted information requires that ColdFusion take measures to employ some form of cryptographic mechanism to protect ... |
| V-279093 | | ColdFusion must configure Lightweight Directory Access Protocol (LDAP) for Transport Layer Security (TLS). | LDAP is commonly used for accessing and maintaining distributed directory information services. When LDAP authentication is performed without encrypti... |
| V-279094 | | ColdFusion must remove all export ciphers to protect the confidentiality and integrity of transmitted information. | Export ciphers have weak encryption algorithms that were originally designed to comply with outdated export regulations. These ciphers provide minimal... |
| V-279095 | | JVM arguments must be configured to use approved cryptographic mechanisms to protect data in transit. | ColdFusion uses the underlying JVM to handle transmission and receiving data, but ColdFusion does offer the programmer an encrypt API call to protect ... |
