An error occurred:

Check: CF11-05-000181

Adobe ColdFusion 11 STIG: CF11-05-000181 (in versions v2 r1 through v1 r2)

Title

ColdFusion, when part of a mission critical system, must be in a high-availability (HA) cluster. (Cat II impact)

Discussion

A mission critical system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A mission critical system must maintain the highest level of integrity and availability. By High Availability (HA) clustering the ColdFusion application server, the hosted application and data are given a platform that is load-balanced and provides high-availability. Most HA clusters consist of two nodes, which is the minimum required for redundancy, but HA clusters can consist of many more nodes. ColdFusion does offer a clustering capability that must be used when the ColdFusion application server is part of a mission critical system.

Check Content

If ColdFusion is not part of a mission critical system, this requirement is not applicable. Within the Administrator Console, navigate to the "Instance Manager" page under the "Enterprise Manager" menu. Validate that two or more servers have been defined and that the servers are on different hosts. If there are fewer than two servers available or the servers are on the same host, this is a finding. Navigate to the "Cluster Manager" page under the "Enterprise Manager" menu. If there are no clusters defined or any cluster has fewer than two servers in the cluster, this is a finding.

Fix Text

If ColdFusion is not part of a mission critical system, this requirement is not applicable. Within the Administrator Console, navigate to the "Instance Manager" page under the "Enterprise Manager" menu. Define two or more servers to be part of each cluster. Once the servers are defined for the cluster(s), navigate to the "Cluster Manager" page under the "Enterprise Manager" menu. Define clusters for your mission critical ColdFusion installation. Each defined cluster must contain two or more servers.

Additional Identifiers

Rule ID: SV-237204r641707_rule

Vulnerability ID: V-237204

Group Title: SRG-APP-000435-AS-000069

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002385

Protect against or limit the effects of organization-defined types of denial-of-service events.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-5

Denial of Service Protection