Title

ColdFusion must have Central Configuration Server (CCS) disabled. (Cat III impact)

Discussion

The ColdFusion CCS is a feature used to synchronize configuration settings across multiple ColdFusion instances. Leaving CCS enabled in a production environment especially when it is not actively used introduces unnecessary risk. If improperly secured or misconfigured, CCS can allow unauthorized access to critical configuration settings, leading to configuration drift, exposure of sensitive information, or even system compromise across multiple instances. Disabling CCS when not explicitly required helps reduce the application server's attack surface, ensures tighter control over system configurations, and limits the potential vectors for lateral movement within the environment.

Check Content

Validate CCS is disabled. From the Admin Console Landing Screen, navigate to Server Settings >> CCS. If the "CCS Enabled" is "Enabled", this is a finding.

Fix Text

Disable CCS. 1. From the Admin Console Landing Screen, navigate to Server Settings >> CCS. 2. Select "Disabled" on "CCS Enabled" setting. 3. Select "Submit Changes".

Additional Identifiers

Rule ID: SV-279046r1171510_rule

Vulnerability ID: V-279046

Group Title: SRG-APP-000141-AS-000095

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.