Title

ColdFusion must log scheduled tasks. (Cat III impact)

Discussion

Logging scheduled tasks in ColdFusion is essential for detecting unauthorized or unexpected behavior, ensuring task execution integrity, and supporting forensic investigations. Scheduled tasks can be used to automate critical operations, including data transfers, script executions, or maintenance routines. If these tasks are not properly logged, malicious or erroneous activities may go undetected. For example, an attacker could schedule a task to exfiltrate data or alter application configurations without immediate notice. Recording details such as task name, execution time, user context, success or failure status, and any associated errors provides administrators with the necessary information to monitor system behavior, identify anomalies, and maintain accountability.

Check Content

Verify Logging is enabled. From the Admin Console Landing Screen, navigate to Debugging & Logging >> Logging Settings. If "Enable logging for scheduled tasks" is missing, the Scheduler is not installed, and this is not a finding. If "Enable logging for scheduled tasks" exists and is not checked, this is a finding.

Fix Text

Configure ColdFusion to enable logging. 1. From the Admin Console Landing Screen, navigate to Debugging & Logging >> Logging Settings. 2. Check "Enable logging for scheduled tasks". 3. Select "Submit Changes".

Additional Identifiers

Rule ID: SV-279035r1171616_rule

Vulnerability ID: V-279035

Group Title: SRG-APP-000097-AS-000060

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.