Title

ColdFusion must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission. (Cat II impact)

Discussion

Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSec tunnel. If data in transit is unencrypted, it is vulnerable to disclosure and modification. If approved cryptographic algorithms are not used, encryption strength cannot be assured. ColdFusion uses the underlying JVM to handle transmission and receiving of data, but ColdFusion does offer to the programmer an encrypt API call to protect the data. This call can use multiple crypto methods, but using FIPS 140-2 is superior to those non-FIPS crypto methods to protect and detect changes to the data. Through JVM arguments set within ColdFusion, the programmer can be forced to only FIPS crypto methods.

Check Content

Within the Administrator Console, navigate to the "Java and JVM" page under the "Server Settings" menu. If the JVM argument-Dcoldfusion.enablefipscrypto=true cannot be found or -Dcoldfusion.enablefipscrypto is set to false, this is a finding.

Fix Text

Navigate to the "Java and JVM" page under the "Server Settings" menu. Locate the JVM argument coldfusion.enablefipscrypto. If the argument cannot be found, add the argument as -Dcoldfusion.enablefipscrypto=true. If the parameter is defined but set to false, change the setting to true.

Additional Identifiers

Rule ID: SV-237220r641755_rule

Vulnerability ID: V-237220

Group Title: SRG-APP-000440-AS-000167

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.