Title

ColdFusion must configure Data Sources to limit SQL command and configure timeout. (Cat II impact)

Discussion

Data sources configured within ColdFusion can be exploited if not properly restricted. Allowing unrestricted SQL commands increases the risk of unauthorized data manipulation, privilege escalation, or destructive operations. If a data source permits these types of commands without explicit need, an attacker who compromises the application could use it to alter the database schema, escalate access, or destroy critical data. Failing to enforce query timeout values allows poorly constructed or maliciously crafted SQL statements to consume excessive resources. Long-running queries can degrade database performance or cause denial-of-service (DoS) conditions, impacting application availability for legitimate users. Limiting SQL commands to only those required for application functionality, and enforcing strict query timeouts, ensures that ColdFusion applications operate within expected bounds, maintain system stability, and protect backend data resources. These controls help reduce the attack surface and enforce the principle of least privilege across the application's database interactions. Satisfies: SRG-APP-000435-AS-000163, SRG-APP-000172-AS-000120

Check Content

Verify that all defined data sources are configured. 1. From the Admin Console Landing Screen, navigate to Data & Services >> Data Sources. 2. Determine if any data sources are defined. If no data sources are defined, this is not a finding. 3. For each Connected Data Source, edit the data source by clicking "Show Advanced Settings" to display all configuration options. 4. Check whether the data source provides an option to specify a query timeout. If the query timeout setting is not available, this is not a finding. 5. If the query timeout setting is available, verify that the value is not set to "0", which indicates no timeout. If any data source has a query timeout configured with a value of "0", this is a finding. 6. Review "Login Timeout (sec)". If there are any data sources with a "Login Timeout (sec)" set higher than 5, this is a finding. If any of the data sources have CREATE, GRANT, DROP, REVOKE or ALTER checked, this is a finding.

Fix Text

Configure data sources. 1. From the Admin Console Landing Screen, navigate to Data & Services >> Data Sources. 2. For each data source, edit the data source configuration: a. Click "Show Advanced Settings" to display all options. b. If the query timeout parameter is available, set the timeout value to a number greater than 0 to ensure queries do not run indefinitely. c. Set "Login Timeout (sec)" to less than 5. d. Uncheck the options allowing SQL commands: CREATE GRANT DROP REVOKE ALTER d. Click "Submit" to save changes.

Additional Identifiers

Rule ID: SV-279083r1171449_rule

Vulnerability ID: V-279083

Group Title: SRG-APP-000435-AS-000163

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.