Title

ColdFusion must set a nonzero timeout for web services. (Cat II impact)

Discussion

Setting a nonzero timeout for web services is crucial to prevent indefinite waiting periods that can lead to resource exhaustion and potential denial-of-service (DoS) attacks. Without a timeout, web services may hang indefinitely, consuming server resources and potentially causing ColdFusion to become unresponsive. By configuring a nonzero timeout, the server can terminate stalled web service requests, ensuring that resources are freed up and the server remains available to handle new requests efficiently.

Check Content

Verify web services timeout. 1. From the Admin Console Landing Screen, navigate to Data & Services >> Web Services. 2. For each Active ColdFusion Web Services: a. Click "Edit". b. Review the "Timeout" for each of the "Active ColdFusion Web Services" entries. If any of the timeout values are set to 0, this is a finding.

Fix Text

Configure web services timeout. 1. From the Admin Console Landing Screen, navigate to Data & Services >> Web Services. 2. For each Active ColdFusion Web Services: a. Click "Edit". b. Set the "Timeout" setting to a duration appropriate for the service. c. Select "Update Web Service".

Additional Identifiers

Rule ID: SV-279091r1171452_rule

Vulnerability ID: V-279091

Group Title: SRG-APP-000435-AS-000163

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.