Title

ColdFusion must have sandboxes enabled and defined. (Cat II impact)

Discussion

ColdFusion consists of two distinct components: the Administrator Console and the hosted applications. Separating these components is essential for enforcing strict access control and limiting exposure of administrative functionality. By requiring privileged authentication to access the Administrator Console, ColdFusion ensures that nonprivileged users cannot view or interact with system-level management features. This prevents unauthorized users from gaining insight into administrative capabilities or system configurations, reducing the risk of privilege escalation or targeted attacks. Isolating the Administrator Console within its own sandboxed environment further strengthens security by preventing hosted applications from accessing, reusing, or modifying administrative objects or code. This containment ensures that management operations and configuration data are protected from unintended or malicious interaction by hosted application processes. In the event a hosted application is compromised, this isolation prevents the attacker from pivoting into the administrative layer of the application server. This architecture enforces proper input validation and access control between application tiers and components, helping prevent unauthorized access to privileged functions, configuration data, or sensitive objects. It supports a layered defense model by limiting trust boundaries and reducing the likelihood of administrative compromise due to application-level vulnerabilities. Satisfies: SRG-APP-000211-AS-000146, SRG-APP-000516-AS-000237

Check Content

Verify Sandbox Security. 1. From the Admin Console Landing Screen, navigate to Server Security >> Sandbox Security. 2. The Administrator Console must have a sandbox separate from the other hosted applications. If there are no sandboxes implemented for the Administrator Console, this is a finding. 3. Sandboxes must be set up for all other hosted applications. If there are no sandboxes implemented for other hosted applications, this is a finding. If the "Enable ColdFusion Sandbox Security" is not checked, this is a finding.

Fix Text

Configure Sandbox Security. 1. From the Admin Console Landing Screen, navigate to Server Security >> Sandbox Security. 2. Check the "Enable ColdFusion Sandbox Security". 3. Create sandboxes for the applications. 4. Create a sandbox for the Administrator Console. 5. Select "Submit Changes".

Additional Identifiers

Rule ID: SV-279065r1171383_rule

Vulnerability ID: V-279065

Group Title: SRG-APP-000211-AS-000146

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.