Check: CF11-06-000225
Adobe ColdFusion 11 STIG:
CF11-06-000225
(in versions v2 r1 through v1 r2)
Title
ColdFusion must remove software components after updated versions have been installed. (Cat II impact)
Discussion
Installation of patches and updates is performed when there are errors or security vulnerabilities in the current release of the software. When previous versions of software components are not removed from the application server after updates have been installed, an attacker may use the older components to exploit the system. ColdFusion creates a backup directory for an update when installed. This backup directory allows the SA to uninstall the update if an error occurs or incompatibility is found with the hosted applications. Once the update is tested and found to work correctly, the backup directory must be removed so that the update cannot be uninstalled.
Check Content
Within the Administrator Console, navigate to the "Updates" page under the "Server Update" menu. Within the "Installed Updates" tab, locate the backup directory location for each update that is installed. On the server running the ColdFusion server, verify that the backup directories do not exist for any of the updates. If all updates have been tested/verified and any of the backup directories exist, this is a finding. Note: Do not remove the backup directory for an update until the update has been tested and verified that the ColdFusion server is operating correctly.
Fix Text
Navigate to the "Updates" page under the "Server Update" menu within the Administrator Console. Within the "Installed Updates" tab, locate the backup directory location for any updates installed. On the server running the ColdFusion server, remove all backup directories for any updates installed. Note: Do not remove the backup directory for an update until the update has been tested and verified that the ColdFusion server is operating correctly.
Additional Identifiers
Rule ID: SV-237234r641797_rule
Vulnerability ID: V-237234
Group Title: SRG-APP-000454-AS-000268
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002617 |
Remove previous versions of organization-defined software components after updated versions have been installed. |
Controls
Number | Title |
---|---|
SI-2(6) |
Removal of Previous Versions of Software / Firmware |