An error occurred:

Check: CF11-03-000092

Adobe ColdFusion 11 STIG: CF11-03-000092 (in versions v2 r1 through v1 r2)

Title

ColdFusion must limit privileges, within the Administrator Console, to change the software resident within software libraries. (Cat II impact)

Discussion

Controlling the overall security posture of the server encompasses controlling the patches and versions of the software running within the production environment. Patches are installed to fix security and bug issues. Vendors will often supply a feature to uninstall the patch in the event the patch does not install correctly, if the patch causes issues with hosted applications, or if the patch contains issues not found during testing. The uninstall feature is meant to be used by an SA to maintain a secure and stable system. In the event an attacker gains access to the uninstall functionality, he can then attempt to revert the system to an unsecure version which may have known and documented attacks that can be successful to compromise ColdFusion. To protect against this type of attack and to further define roles for users, access to the patch management functionality is important. Proper protection is performed through assigning the appropriate roles to the users of the Administrator Console and through the least privileged permissions assigned at the OS level.

Check Content

Within the Administrator Console, navigate to the "User Manager" page under the "Security" menu. Review each defined user and ask the SA if the user should have access to server patch management functions. For each user that should not be able to access patch management functions, review the roles assigned to the user account. If the user has the "Server Updates" role, this is a finding.

Fix Text

Navigate to the "User Manager" page under the "Security" menu. Remove the "Server Updates" role from each user that should not have access to patch management functions.

Additional Identifiers

Rule ID: SV-237164r641587_rule

Vulnerability ID: V-237164

Group Title: SRG-APP-000133-AS-000092

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001499

Limit privileges to change software resident within software libraries.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-5(6)

Limit Library Privileges