Title

JVM arguments must be configured to use approved cryptographic mechanisms to protect data in transit. (Cat I impact)

Discussion

ColdFusion uses the underlying JVM to handle transmission and receiving data, but ColdFusion does offer the programmer an encrypt API call to protect the data. This call can use multiple crypto methods but using FIPS 140-2/140-3 or higher is superior to those non-FIPS crypto methods to protect and detect changes to the data. Through JVM arguments set within ColdFusion, the programmer can be forced to use only FIPS crypto methods.

Check Content

Verify JVM Arguments for Crypto. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM. If the JVM argument contains "-Dcoldfusion.enablefipscrypto=false" or "-Dcoldfusion.enablefipscrypto" is missing, this is a finding. 2. Observe the ColdFusion edition at the top of the Administrator Console. If the edition is "Standard", this is a finding.

Fix Text

Configure JVM Arguments for Crypto. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM. 2. Amend JVM arguments with "-Dcoldfusion.enablefipscrypto=true". 3. Click "Submit Changes". 4. If not using Enterprise Edition or cryptographic mechanisms are not available, reinstall with Enterprise Edition.

Additional Identifiers

Rule ID: SV-279095r1171617_rule

Vulnerability ID: V-279095

Group Title: SRG-APP-000440-AS-000167

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.