Title

ColdFusion must only transmit encrypted representations of passwords to the caching server. (Cat II impact)

Discussion

Redis is an in-memory data structure store used as a database, cache, and message broker. When data is transmitted between ColdFusion and the Redis caching server without encryption, it is vulnerable to interception and unauthorized access. This can lead to the exposure of sensitive information, including cached data, session information, and other confidential data. By requiring the Redis caching server connection to use encryption for data transmission, ColdFusion ensures that the credentials and data are protected from eavesdropping and tampering. This practice helps maintain the confidentiality and integrity of the data, thereby enhancing the overall security of the server and the applications it hosts. Regularly verifying and enforcing with encryption for all Redis caching server connections is essential for maintaining a secure server environment.

Check Content

Verify Redis Cache encryption. From the Admin Console Landing Screen, navigate to Server Settings >> Caching. If the "Redis Server" setting is "localhost" or blank, this requirement is not a finding. If "Password" is blank, this is not a finding. If "Is SSL Enabled" is unchecked, this is a finding.

Fix Text

Configure Redis Cache encryption. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Caching. 2. Enable encryption by checking "Is SSL Enabled". 3. Select "Submit Changes".

Additional Identifiers

Rule ID: SV-279061r1171537_rule

Vulnerability ID: V-279061

Group Title: SRG-APP-000172-AS-000120

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.