Title

ColdFusion Backup Directory must be deleted. (Cat II impact)

Discussion

Installation of patches and updates is performed when there are errors or security vulnerabilities in the current release of the software. When previous versions of software components are not removed from ColdFusion after updates have been installed, an attacker may use the older components to exploit the system. ColdFusion creates a backup directory for an update when installed. This backup directory allows the system administrator (SA) to uninstall the update if an error occurs or incompatibility is found with the hosted applications. Once the update is tested and found to work correctly, the backup directory must be removed so that the update cannot be uninstalled.

Check Content

Verify Update Backup Directory has been deleted. Navigate to C:\ColdFusion2023\cfusion\hf-updates. If any backup directories exist in the "hf-updates" folder, this is a finding. Note: Do not remove the backup directory for an update until the update has been tested and verified that the ColdFusion server is operating correctly.

Fix Text

Remove Update Backups. 1. Navigate to C:\ColdFusion2023\cfusion\hf-updates. 2. Remove any backups from hf-updates.

Additional Identifiers

Rule ID: SV-279099r1172837_rule

Vulnerability ID: V-279099

Group Title: SRG-APP-000454-AS-000268

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.