Check: CF11-05-000193
Adobe ColdFusion 11 STIG:
CF11-05-000193
(in versions v2 r1 through v1 r2)
Title
ColdFusion must have a custom request queue time-out page. (Cat III impact)
Discussion
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards. These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework. Limiting the knowledge given to an attacker about the effects of his attack and possible solutions to further his attack is important. This is especially important when the attacker is trying to find the limits needed to exhaust resources and cause a DoS. To limit feedback to the attacker on his efforts, a custom time-out page should be used. The message returned should only inform the user that they should wait and retry their request again. The message must not disclose that the queue timed out.
Check Content
Within the Administrator Console, navigate to the "Request Tuning" page under the "Server Settings" menu. Validate that the "Request Queue Timeout Page" setting is set to a valid and custom page. If "Request Queue Timeout Page" is blank or is set to /CFIDE/administrator/templates/request_timeout_error.cfm, this is a finding. If a page is specified, validate that the file exist. The path and file given are relevant to the web servers' document root directory and not the OS root directory. For example, if the web servers' document root is /opt/webserver/wwwroot and the "Request Queue Timeout Page" is set to /CFIDE/administrator/templates/timeout_error.cfm, the full path to the template file is /opt/webserver/wwwroot/CFIDE/administrator/templates/timeout_error.cfm If the "Request Queue Timeout Page" setting is not set to a valid page, this is a finding.
Fix Text
Navigate to the "Request Tuning" page under the "Server Settings" menu. Set "Request Queue Timeout Page" to a custom and valid error page and select the "Submit Changes" button.
Additional Identifiers
Rule ID: SV-237216r641743_rule
Vulnerability ID: V-237216
Group Title: SRG-APP-000435-AS-000163
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002385 |
Protect against or limit the effects of organization-defined types of denial-of-service events. |
Controls
Number | Title |
---|---|
SC-5 |
Denial of Service Protection |