Title

ColdFusion must encrypt patch retrieval. (Cat II impact)

Discussion

Checking for patches and downloading those patches for installation must be done through an encrypted connection to protect the patch from modification during transmission and to avoid spoofed updates.

Check Content

If the Administrator Console is used to perform patch retrieval, navigate to the "Updates" page under the "Server Update" menu within the console and review the setting "Site URL" within the "Settings" tab. If the URL is not prefixed by https://, this is a finding. If a manual process is used to retrieve patches, verify that a documented process is in place that includes using an encrypted method to download the patches, e.g., VPN tunneling, Secure Copy (SCP), etc. If there is not a documented process or the process does not include an encrypted method to download patches, this is a finding.

Fix Text

If the Administrator Console is used for patch retrieval, navigate to the "Updates" page under the "Server Update" menu within the console. Locate the "Site URL" setting on the "Settings" tab. Update the URL used for updates to be prefixed with https:// so that the communication is encrypted and select the "Submit Changes" button. If a manual process is used to retrieve patches, document the process to retrieve the patches that uses an encrypted method to download the patches, e.g., VPN tunneling, Secure Copy (SCP), etc.

Additional Identifiers

Rule ID: SV-237221r641758_rule

Vulnerability ID: V-237221

Group Title: SRG-APP-000440-AS-000167

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.