Title

ColdFusion must configure WebSocket Service. (Cat II impact)

Discussion

Application servers provide a wide range of features and services, many of which may not be necessary or secure for a production DOD environment. One such feature is the ColdFusion WebSocket Service, which supports real-time, bidirectional communication for applications such as dashboards, online gaming, social networking, and live data feeds. This service communicates over HTTP or HTTPS using a proxy or the built-in WebSocket server. When enabled, the WebSocket Service consumes system resources and may introduce security risks if not properly configured or if left unused. These risks include unauthorized access, input injection, session hijacking, and the ability to bypass traditional security controls such as firewalls and proxies. If the WebSocket service is not actively required by hosted applications, it should be disabled to free up system resources and reduce the overall attack surface. When used, the WebSocket service must be securely configured. Satisfies: SRG-APP-000141-AS-000095, SRG-APP-000172-AS-000120, SRG-APP-000435-AS-000163, SRG-APP-000442-AS-000259

Check Content

Verify the ColdFusion WebSocket configuration. 1. From the Admin Console Landing Screen, navigate to Server Settings >> WebSocket. If the "websocket" package is not installed, this is Not Applicable. 2. If "Enable WebSocket Service" is checked: If "Use Proxy" is selected and the "Port" setting is checked, this is a finding. Non-SSL WebSocket is not permitted. 3. If "Use Built-in WebSocket Server" is selected and the "Port" setting is checked, this is a finding. Non-SSL WebSocket is not permitted. 4. If SSL Port is not checked, this is a finding. 5. Verify SSL Port is an approved port. If not, this is a finding. 6. If "Start Flash Policy Server" is checked, this is a finding. 7. If "Max Data Size" is over the required maximum size, this is a finding.

Fix Text

Configure ColdFusion WebSocket. 1. From the Admin Console Landing Screen, navigate to Server Settings >> WebSocket. 2. If "Use Proxy" is selected, uncheck "Port" to disable non-SSL WebSocket connections. Non-SSL WebSocket is not permitted. 3. If "Use Built-in WebSocket Server" is selected, uncheck "Port" to disable non-SSL WebSocket connections. Non-SSL WebSocket is not permitted. 4. Enable encryption by checking "SSL Port" and enter an approved port value. 5. Enter keystore and password. 6. Uncheck the "Start Flash Policy Server". 7. Set the "Max Data Size" to the default setting of 1024 or to the required maximum size for the hosted applications. 8. Select "Submit Changes".

Additional Identifiers

Rule ID: SV-279040r1171341_rule

Vulnerability ID: V-279040

Group Title: SRG-APP-000141-AS-000095

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.