An error occurred:

Check: APAS-CF-000420

Adobe ColdFusion STIG: APAS-CF-000420 (in version v1 r1)

Title

The ColdFusion Administrator Console must be hosted on a management network. (Cat II impact)

Discussion

ColdFusion is composed of two primary components: the Administrator Console and the hosted applications. Separating the Administrator Console from the hosted application environment enforces a strong security boundary, requiring users to authenticate with privileged credentials before gaining access to management functionality. This separation ensures that nonprivileged users—such as application users—are not presented with administrative interfaces or options, effectively reducing the attack surface and minimizing the potential for privilege escalation. Restricting visibility into administrative functions also limits the exposure of sensitive configuration details. In the event a nonprivileged account is compromised, the attacker gains no insight into ColdFusion's management features or internal architecture, impeding reconnaissance efforts and slowing down the progression of an attack. Hosting the Administrator Console on a dedicated management network ensures the console is accessible only from authorized administrative devices, isolates it from the application traffic and users, and reduces the risk of accidental exposure. Management networks also enforce encryption and strict access controls, providing additional protection against data leakage and unauthorized access to ColdFusion's administrative interface.

Check Content

Access the Administrator Console via a web browser. Record the IP address used to reach the console. Review the network diagram for the site to verify that this IP address belongs to a dedicated management network that is segmented from any public or production networks. If the Administrator Console is not hosted on a management network separate from the public network, this is a finding.

Fix Text

Host the ColdFusion Administrator Console on a management network.

Additional Identifiers

Rule ID: SV-279064r1171544_rule

Vulnerability ID: V-279064

Group Title: SRG-APP-000211-AS-000146

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001082

Separate user functionality, including user interface services, from system management functionality.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-2

Separation of System and User Functionality