Title

ColdFusion must disable creation of unnamed applications. (Cat II impact)

Discussion

ColdFusion allows applications to be named or unnamed. The application name allows the developer to scope the application or define a logical application and allows for the separation of applications. When an application is unnamed, the application scope corresponds to the ColdFusion JEE servlet context. This also means that the application session corresponds directly to the session object of the JEE application server. Having unnamed applications is only necessary when the ColdFusion pages must share application or session scope data with existing JSP pages and servlets. Disabling the ability for unnamed applications allows the Administrator Console and all the other hosted applications to be isolated from each other.

Check Content

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If "Disable creation of unnamed applications" is unchecked, this is a finding.

Fix Text

Navigate to the "Settings" page under the "Server Settings" menu. Check "Disable creation of unnamed applications" and select the "Submit Changes" button.

Additional Identifiers

Rule ID: SV-237197r641686_rule

Vulnerability ID: V-237197

Group Title: SRG-APP-000211-AS-000146

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.