Title

ColdFusion must limit applications from changing shared Java components. (Cat II impact)

Discussion

Application servers have the ability to specify that the hosted applications utilize shared libraries. Within ColdFusion, these shared libraries are often Java components along with server settings. By allowing programmers or attackers to write CFML code that can directly access these components and settings, the programmer can change how shared Java components work and create new Java components. By disabling this option, the programmer is unable to read or modify administration and configuration information for the server and shared Java components.

Check Content

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If "Disable access to internal ColdFusion Java components" is unchecked, this is a finding.

Fix Text

Navigate to the "Settings" page under the "Server Settings" menu. Check "Disable access to internal ColdFusion Java components" and select the "Submit Changes" button.

Additional Identifiers

Rule ID: SV-237163r641584_rule

Vulnerability ID: V-237163

Group Title: SRG-APP-000133-AS-000092

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.