Check: APAS-CF-000035
Adobe ColdFusion STIG:
APAS-CF-000035
(in version v1 r1)
Title
ColdFusion must require enforced authentication. (Cat II impact)
Discussion
ColdFusion must require each authorized user to authenticate and not allow multiple users. Without enforced authentication, there is no reliable method to verify the identity of users accessing the ColdFusion Administrator Console or other secured components of the application server. This lack of accountability can allow unauthorized users to gain elevated privileges, make unauthorized changes, or conceal malicious activity. Requiring a username and password for each user aligns with the principles of least privilege and ensures that access to sensitive configuration and management functions is appropriately controlled.
Check Content
1. From the Admin Console Landing Screen, navigate to Security >> Administrator. 2. If the "Separate user name and password authentication (allows multiple users)" is not selected, this is a finding.
Fix Text
1. From the Admin Console Landing Screen, navigate to Security >> Administrator. 2. Select "Separate user name and password authentication (allows multiple users)". 3. Select "Submit Changes".
Additional Identifiers
Rule ID: SV-279032r1171325_rule
Vulnerability ID: V-279032
Group Title: SRG-APP-000080-AS-000045
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000166 |
Provide irrefutable evidence that an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. |
Controls
| Number | Title |
|---|---|
| AU-10 |
Non-repudiation |