Title

ColdFusion must protect newly created objects. (Cat II impact)

Discussion

During operation, ColdFusion may create objects such as files to store parameters or log data, or pipes to share data between objects. When the objects are created, it is important that the newly created object has the correct permissions. This can be performed by assigning the proper umask value to the running process. For the ColdFusion service, the umask must be set to 007 or more restrictive.

Check Content

For ColdFusion running on Windows, this finding is not applicable. ColdFusion running on Linux: 1. Locate the file coldfusion_11 by running the command: find / -name coldfusion_11 2. Change to the directory where the file is located. 3. Edit the coldfusion_11 file. 4. Locate the umask setting. It should be located near the top of the file, but below the #description comment. If the umask is not set to 007 or more restrictive, this is a finding.

Fix Text

For ColdFusion running on Windows, this finding is not applicable. 1. Locate the file coldfusion_11 by running the command: find / -name coldfusion_11 2. Change to the directory where the file is located. 3. Edit the coldfusion_11 file. 4. Add the umask setting near the top of the file, but below the #description comment. A sample umask setting looks like: umask 007

Additional Identifiers

Rule ID: SV-237182r641641_rule

Vulnerability ID: V-237182

Group Title: SRG-APP-000516-AS-000237

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.