Title

ColdFusion must be configured with autoDeploy disabled. (Cat III impact)

Discussion

ColdFusion uses Tomcat for HTTP and AJP connectivity. Tomcat allows auto-deployment of applications while Tomcat is running. This can allow untested or malicious applications to be automatically loaded into production. AutoDeploy must be disabled in production. This requirement is NA for test and development systems on nonproduction networks.

Check Content

Review the autoDeploy configuration in server.xml. 1. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Review the server.xml configuration by opening the server.xml file in a text editor. 3. Search for all <Host> elements. 4. Check the autoDeploy Attribute. Inspect each <Host> element for the autoDeploy setting. If any <Host> element has "autoDeploy="true"", this is a finding.

Fix Text

Disable autoDeploy in server.xml. 1. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Before making any changes, create a backup copy of the file. Windows Example: copy server.xml server.xml.bak Linux Example: cp server.xml server.xml.bak 3. Edit the configuration by opening server.xml in a text editor with administrative privileges. 4. Locate all <Host> elements with: autoDeploy="true" 5. Change all attributes to: autoDeploy="false" 6. Restart ColdFusion to apply the configuration changes. 7. Confirm that ColdFusion services started successfully. 8. Reopen server.xml to confirm that autoDeploy="false" is set for all <Host> elements.

Additional Identifiers

Rule ID: SV-279049r1171519_rule

Vulnerability ID: V-279049

Group Title: SRG-APP-000141-AS-000095

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.