Title

ColdFusion must encrypt patch retrieval. (Cat II impact)

Discussion

Checking for patches and downloading those patches for installation must be done through an encrypted connection to protect the patch from modification during transmission and to avoid spoofed updates.

Check Content

Verify that patch retrieval is performed securely, whether automated or manual. If the Administrator Console is not used to retrieve patches, proceed to Step 2. 1. From the Admin Console Landing Screen, navigate to Package Manager >> Settings. 2. Review the Site URL fields for Update Site and Packages Site. Verify that all URLs are prefixed with "https://". If any URL is not prefixed with "https://", this is a finding. 3. If patches are retrieved manually, verify there is documented guidance describing the process. 4. Confirm the documented process requires using an encrypted method to download patches, such as VPN tunneling, Secure Copy (SCP), or equivalent secure protocols. If no documented process exists, or if the process does not require an encrypted method, this is a finding.

Fix Text

If the Administrator Console is used for patch retrieval: 1. From the Admin Console Landing Screen, navigate to Package Manager >> Settings. 2. Locate the Site URL fields for "Update Site" and "Packages Site". 3. Update each URL to ensure it is prefixed with "https://" so communication is encrypted. 4. Select "Submit Changes". If a manual process is used to retrieve patches: 1. Develop and maintain documented procedures describing the manual patch retrieval process. 2. Ensure the process specifies using an encrypted method for downloading patches (e.g., VPN tunneling, SCP, or equivalent secure protocols).

Additional Identifiers

Rule ID: SV-279096r1171589_rule

Vulnerability ID: V-279096

Group Title: SRG-APP-000440-AS-000167

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.