Title

ColdFusion must limit concurrent sessions to the Administrator Console. (Cat III impact)

Discussion

The ColdFusion Administrator Console provides critical functionality for managing the ColdFusion application server. Allowing concurrent logins to the Administrator Console increases the risk of unauthorized access and account compromise. Disabling concurrent logins ensures that only one active session per user is allowed. This restriction provides a security benefit by alerting users to potential account compromise: If a user is unexpectedly logged out due to a new session being initiated, it may indicate unauthorized use of their credentials.

Check Content

Verify Concurrent Administrator Console Logins. 1. From the Admin Console Landing Screen, navigate to Security >> Administrator. 2. Locate the option labeled "Allow concurrent login sessions for Administrator Console". If this option is enabled (checked), this is a finding.

Fix Text

Configure Concurrent Administrator Console Logins. 1. From the Admin Console Landing Screen, navigate to Security >> Administrator. 2. Locate the option labeled "Allow concurrent login sessions for Administrator Console". 3. Disable (uncheck) the option. 4. Select "Submit Changes".

Additional Identifiers

Rule ID: SV-279030r1171489_rule

Vulnerability ID: V-279030

Group Title: SRG-APP-000001-AS-000001

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.