Title

ColdFusion must have the Tomcat DefaultServlet debug parameter disabled. (Cat II impact)

Discussion

Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages must be carefully considered by the organization and development team. The release of Tomcat that comes with ColdFusion can be configured to output Tomcat-specific debug messages. If left enabled, these settings can expose sensitive data within error and log messages.

Check Content

Review the debug parameter for the DefaultServlet and verify it is disabled. 1. Locate the web.xml file for each ColdFusion instance located at: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\web.xml 2. Open the web.xml file in a text editor. 3. Search for the following servlet definition: <servlet> <servlet-name>default</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> 4. Within this block, locate the <init-param> with the <param-name>debug</param-name> element. 5. Verify the corresponding <param-value> is set to 0. For example: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> If the debug parameter is set to any value other than 0, or is not explicitly defined, this is a finding.

Fix Text

Configure DefaultServlet to disable debug output. 1. Open the web.xml file located at: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\web.xml 2. Locate the DefaultServlet definition and ensure the debug parameter is set as follows: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> 3. Save the changes and restart ColdFusion to apply the configuration.

Additional Identifiers

Rule ID: SV-279071r1171608_rule

Vulnerability ID: V-279071

Group Title: SRG-APP-000266-AS-000169

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.