Check: CF11-05-000189
Adobe ColdFusion 11 STIG:
CF11-05-000189
(in versions v2 r1 through v1 r2)
Title
ColdFusion must limit the maximum number of threads available for CFTHREAD. (Cat II impact)
Discussion
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards. These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework. One way to cause a DoS for ColdFusion is to exhaust resources by using services that are not being monitored because of their nonuse by hosted applications. One of these services is the CFTHREAD function. CFTHREAD allows a programmer to create threads of code that execute independently. If this feature is being used, the maximum number of threads should be tuned. If set to high, this may lead to a context-switching situation. When this feature is not in use, the maximum number of threads must be 1.
Check Content
Within the Administrator Console, navigate to the "Request Tuning" page under the "Server Settings" menu. Ask the administrator if threading, calls to CFTHREAD, is being used by any of the hosted application. If threading is being used, this finding is not applicable. If threading is not being used and "Maximum number of threads available for CFTHREAD" is not set to 1, this is a finding.
Fix Text
If threading is being used, this finding is not applicable. Navigate to the "Request Tuning page under the Server Settings" menu. Set "Maximum number of threads available for CFTHREAD" to 1 and select the "Submit Changes" button.
Additional Identifiers
Rule ID: SV-237212r641731_rule
Vulnerability ID: V-237212
Group Title: SRG-APP-000435-AS-000163
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002385 |
Protect against or limit the effects of organization-defined types of denial-of-service events. |
Controls
Number | Title |
---|---|
SC-5 |
Denial of Service Protection |