Title

ColdFusion must have only approved Tomcat connectors enabled. (Cat III impact)

Discussion

Tomcat connectors define how ColdFusion communicates with clients and other services, typically over HTTP, HTTPS, or AJP protocols. Enabling unnecessary or unapproved connectors increases the attack surface and may expose the server to vulnerabilities associated with those protocols. To minimize risk, only approved and secure Tomcat connectors should be enabled in ColdFusion. All others must be disabled or removed from the configuration. This reduces the number of potential entry points for an attacker and helps enforce the principle of least functionality.

Check Content

Review SSP for list of approved connectors and associated TCP/IP ports. Verify only approved connectors are present. 1. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Open the server.xml file in a text editor. Locate the "Connector" tags that are not commented out. 3. Verify all connectors and their associated network ports are approved in the system security plan (SSP). If connectors are found but are not approved in the SSP, this is a finding.

Fix Text

1. Obtain information system security officer (ISSO) approvals for the configured connectors and document in the SSP. 2. Locate the server.xml file. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 3. Create a backup of this file. 4. Edit the file and remove any unapproved connectors by deleting the "Connector" tag or using XML syntax to comment out the configuration. XML comment syntax starts with <!-- and ends with -->

Additional Identifiers

Rule ID: SV-279047r1171513_rule

Vulnerability ID: V-279047

Group Title: SRG-APP-000141-AS-000095

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.