Check: APAS-CF-000220
Adobe ColdFusion STIG:
APAS-CF-000220
(in version v1 r1)
Title
ColdFusion must disable all remote and client-side debugging features, including Remote Inspection, Robust Exception Information, AJAX Debug Log Window, and Line Debugging. (Cat II impact)
Discussion
Debugging and inspection features in application servers, such as ColdFusion's Remote Inspection, Robust Exception Information, AJAX Debug Log Window, and Line Debugging, are valuable tools during development but pose significant security risks if left enabled in production environments. These features can expose detailed error messages, internal server logic, application structure, variable contents, and system information that could be leveraged by attackers to gain unauthorized access, identify exploitable vulnerabilities, or conduct reconnaissance. Allowing remote inspection or detailed debugging output in a production environment undermines the principle of least privilege and increases the risk of unauthorized disclosure of sensitive information. This violates secure coding and deployment best practices. Disabling these features mitigates the risk of information leakage. Satisfies: SRG-APP-000141-AS-000095, SRG-APP-000266-AS-000169
Check Content
Validate Debugging and Logging settings. From the Admin Console Landing Screen, navigate to Debugging & Logging. In the "Remote Inspection Settings" tab, if "Allow Remote Inspection" is checked, this is a finding. In the "Debug Output Settings" tab, if "Enable Robust Exception Information" is checked, this is a finding. If "Enable AJAX Debug Log Window" is checked, this is a finding. In the "Debugger Settings" tab, if "Allow Line Debugging" is checked, this is a finding.
Fix Text
Configure Debugging and Logging settings. 1. From the Admin Console Landing Screen, navigate to Debugging & Logging. 2. In the "Remote Inspection Settings" tab, ensure "Allow Remote Inspection" is unchecked. 3. Select "Submit Changes". 4. In the "Debug Output Settings" tab, ensure "Enable Robust Exception Information" is unchecked. 5. Ensure "Enable AJAX Debug Log Window" is unchecked. 6. Select "Submit Changes". 7. In the Debugger Settings tab, ensure "Allow Line Debugging" is unchecked. 8. Select "Submit Changes".
Additional Identifiers
Rule ID: SV-279044r1171508_rule
Vulnerability ID: V-279044
Group Title: SRG-APP-000141-AS-000095
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000381 |
Configure the system to provide only organization-defined mission essential capabilities. |
| CCI-001312 |
Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited. |