Title

ColdFusion must be configured to mutually authenticate connecting proxies and load balancers. (Cat II impact)

Discussion

Mutual authentication between connecting proxies, application servers, or gateways is essential for ensuring secure communication and preventing unauthorized access. Without mutual authentication, there is a risk that an attacker could impersonate a trusted component, leading to potential data breaches and other security incidents. Mutual authentication helps verify the identities of both parties involved in the communication, ensuring that only trusted entities can interact with ColdFusion. This process involves the exchange of certificates and the validation of these certificates against a trusted certificate authority. By implementing mutual authentication, ColdFusion can establish a secure and trusted communication channel, protect sensitive data and maintain the integrity of the system. Therefore, it is crucial to configure ColdFusion to mutually authenticate all connecting proxies, application servers, or gateways to enhance security and prevent unauthorized access.

Check Content

Validate SSL Certificate. 1. Identify any proxy servers or load balancers that provide services for the Tomcat server. If there are no load balancers or proxies in use, this is not a finding. 2. Identify each ColdFusion IP address that is served by a load balancer or proxy. Locate the configuration file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 3. Open the server.xml file in a text editor and review each <Connector> element for the address setting and the clientAuth setting. If a connector has a configured IP address that is proxied or load balanced and the clientAuth setting is not "true", this is a finding. 4. Locate the configuration file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\web.xml 5. Open the web.xml file in a text editor. If "<login-config><auth-method>CLIENT-CERT</auth-method></login-config>" is not present under the web-app tag, this is a finding.

Fix Text

Configure SSL Certificate. For server.xml: 1. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Before making changes, back up the file to prevent accidental misconfiguration. 3. Open server.xml in a text editor with administrative privileges. For web.xml: 1. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\web.xml 2. Before making changes, back up the file to prevent accidental misconfiguration. 3. Open web.xml in a text editor with administrative privileges. 4. Ensure the <login-config><auth-method>CLIENT-CERT</auth-method></login-config> is present under the web-app tag. 5. Save and close the file. Restart ColdFusion to apply the changes.

Additional Identifiers

Rule ID: SV-279067r1171547_rule

Vulnerability ID: V-279067

Group Title: SRG-APP-000219-AS-000147

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.