Title

ColdFusion must transmit only encrypted representations of passwords to NoSQL data sources. (Cat II impact)

Discussion

When data is transmitted between ColdFusion and the datasources without encryption, it is vulnerable to interception and unauthorized access. This can lead to the exposure of sensitive information, including personal data, authentication credentials, and other confidential information. By requiring each of the data sources to use encryption for data transmission, ColdFusion ensures that the credentials and data are protected from eavesdropping and tampering. This practice helps maintain the confidentiality and integrity of the data, thereby enhancing the overall security of the server and the applications it hosts. Regularly verifying and enforcing using encryption for all datasource connections is essential for maintaining a secure server environment.

Check Content

1. From the Admin Console Landing Screen, navigate to Data & Services >> NoSQL Data Sources. 2. For each "Connected NoSQL Data Source" configured, examine the settings and verify if encryption is enabled and properly configured for each data source connection. If any NoSQL data source is found without encryption enabled, this is a finding. If any NoSQL data source does not have "Enable SSL " checked, this is a finding.

Fix Text

1. From the Admin Console Landing Screen, navigate to Data & Services >> NoSQL Data Sources. 2. Make the necessary changes to the data source to use encryption. 3. Check " Enable SSL" checkbox. 4. Select "Submit".

Additional Identifiers

Rule ID: SV-279058r1171531_rule

Vulnerability ID: V-279058

Group Title: SRG-APP-000172-AS-000120

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.