Title

ColdFusion must configure Lightweight Directory Access Protocol (LDAP) for Transport Layer Security (TLS). (Cat I impact)

Discussion

LDAP is commonly used for accessing and maintaining distributed directory information services. When LDAP authentication is performed without encryption, sensitive information such as usernames and passwords can be transmitted in clear text, making it vulnerable to interception and unauthorized access. By using TLS to secure LDAP authentication, the data transmitted between the client and the LDAP server is encrypted, ensuring the confidentiality and integrity of the authentication process. This practice helps protect against eavesdropping, man-in-the-middle attacks, and other security threats, thereby enhancing the overall security of the ColdFusion server and the applications it hosts. Regularly verifying and enforcing using TLS for LDAP authentication is essential for maintaining a secure server environment.

Check Content

Verify LDAP is configured for TLS. 1. From the Admin Console Landing Screen, navigate to Security >> Administrator. 2. Click "Edit LDAP Configuration". If "SSL/TLS" is not enabled, this is a finding.

Fix Text

Configure LDAP for TLS. 1. From the Admin Console Landing Screen, navigate to Security >> Administrator. 2. Click "Edit LDAP Configuration". 3. Enable the "SSL/TLS" setting. 4. Select "Save". 5. Select "Submit Changes".

Additional Identifiers

Rule ID: SV-279093r1171053_rule

Vulnerability ID: V-279093

Group Title: SRG-APP-000439-AS-000155

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.