Title

ColdFusion must require each user to authenticate with a unique account. (Cat II impact)

Discussion

Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Enforcing non-repudiation of actions requires that each user be uniquely identified. Without this identification, events cannot be traced to a particular user, and a forensic investigation cannot be conducted to determine what exactly happened and who caused the event to occur. By forcing each user to authenticate using a unique account, each auditable event can be tied to a user, and a sequence of events for the user can be determined. This is critical when investigating an issue or an attack.

Check Content

Review the users within the "User Manager" page under the "Security" menu. If users are not defined, this is a finding.

Fix Text

Create user accounts within the "User Manager" page under the "Security" menu for those users that need access to the Administrator Console.

Additional Identifiers

Rule ID: SV-237147r641536_rule

Vulnerability ID: V-237147

Group Title: SRG-APP-000080-AS-000045

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.