Title

JVM Arguments must be configured for Transport Layer Security (TLS) 1.2 or higher. (Cat I impact)

Discussion

Preventing the disclosure of transmitted information requires that ColdFusion take measures to employ some form of cryptographic mechanism to protect the information during transmission. This is usually achieved TLS. TLS must be enabled, and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. ColdFusion uses JVM to control the encryption of transmitted data. Settings for JVM can be controlled within the Administrator Console to configure the JVM to only use FIPS 140-2/140-3 or higher approved TLS and disable non-FIPS SSL versions.

Check Content

Verify JVM Arguments for TLS. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM. The parameter -Dhttps.protocols is used to set the TLS versions. Valid values for this setting must be TLS versions 1.2 or higher. Example: Dhttps.protocols=TLSv1.2,TLSv1.3 If the "JVM arguments" setting does not contain the parameter "Dhttps.protocols" or if the parameter "Dhttps.protocols" contains any unapproved protocols or versions, this is a finding.

Fix Text

Configure JVM Arguments for TLS. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM. 2. In Section JVM Arguments, add the parameter "-Dhttps.protocols" and set the parameter to the TLS versions to be used. Example: Dhttps.protocols=TLSv1.2,TLSv1.3 3. Select "Submit Changes". 4. Restart ColdFusion for the changes take effect.

Additional Identifiers

Rule ID: SV-279092r1171584_rule

Vulnerability ID: V-279092

Group Title: SRG-APP-000439-AS-000155

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.