Title

ColdFusion must not install the Performance Monitoring Toolset (PMT) Agent Package. (Cat II impact)

Discussion

The ColdFusion Performance Monitoring Toolset (PMT) Agent Package provides instrumentation and profiling capabilities that, while useful for performance troubleshooting, introduce unnecessary risk in a DOD environment. The PMT agent collects, stores, and transmits detailed information about ColdFusion server activity, queries, and application behavior. If deployed in production, this agent can inadvertently expose sensitive system details, execution paths, or database query patterns to unauthorized individuals. The PMT Agent Package increases the attack surface by adding additional components, services, and ports that must be secured, monitored, and patched. Improperly configured or unmonitored PMT agents could allow adversaries to gain insights into application internals, conduct reconnaissance, or pivot toward exploiting ColdFusion services. By prohibiting the installation of the PMT Agent Package, system administrators reduce complexity, limit potential vulnerabilities, and enforce the principle of least functionality.

Check Content

Verify the PMT Agent Package is not installed. From the Admin Console Landing Screen, navigate to Package Manager>> Packages. If the “pmtagent” package is listed under the "Installed Packages" section, this is a finding.

Fix Text

Uninstall the PMT Agent Package. 1. From the Admin Console Landing Screen, navigate to Package Manager>> Packages. 2. Select the "pmtagent" package. 3. Select "Uninstall". 4. Select "OK".

Additional Identifiers

Rule ID: SV-279129r1171553_rule

Vulnerability ID: V-279129

Group Title: SRG-APP-000231-AS-000133

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.