Title

ColdFusion must not allow application variables to be added to Servlet Context. (Cat II impact)

Discussion

ColdFusion allows applications to add application variables to the Servlet Context. This allows an application to add data or change configuration data for all hosted applications. By sharing data across applications, the applications are no longer isolated with one application affecting other applications. By disabling this capability, the hosted applications, including the Administrator Console, are isolated.

Check Content

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If "Allow adding application variables to Servlet Context" is checked, this is a finding.

Fix Text

Navigate to the "Settings" page under the "Server Settings" menu. Uncheck "Allow adding application variables to Servlet Context" and select the "Submit Changes" button.

Additional Identifiers

Rule ID: SV-237198r641689_rule

Vulnerability ID: V-237198

Group Title: SRG-APP-000211-AS-000146

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.