Title

ColdFusion must limit the request throttle memory. (Cat II impact)

Discussion

Limiting the request throttle memory is essential to prevent resource exhaustion and potential denial-of-service (DoS) attacks. Without a limit, an excessive number of large requests can overwhelm the server, consuming memory and other resources, leading to performance degradation or crashes. Any requests made above the throttle threshold are considered throttled and cumulatively their total request size cannot be above the throttle memory setting. Any throttled requests made while insufficient throttle memory remaining will be queued. Any requests larger than the throttle memory will be rejected. By setting a request throttle memory limit, the server can manage its resources more effectively, ensuring that it remains responsive and available to handle client requests efficiently.

Check Content

Verify Request Throttle Memory settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. 2. Interview the administrator to determine what the maximum post data size is required for the hosted applications. If the "Request Throttle Memory" is not set to a 10 to 25 times multiple of the larger of "Request Throttle Threshold" or the maximum request size, this is a finding.

Fix Text

Configure Maximum Request Throttle Memory settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. 2. Set "Request Throttle Memory" to the required amount. 3. Select "Submit Changes".

Additional Identifiers

Rule ID: SV-279088r1171038_rule

Vulnerability ID: V-279088

Group Title: SRG-APP-000435-AS-000163

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.