Title

ColdFusion must limit the maximum number of threads available for CFTHREAD. (Cat II impact)

Discussion

Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, ColdFusion must employ defined security safeguards. These safeguards will be determined by the placement of ColdFusion and the type of applications being hosted within ColdFusion framework. The CFTHREAD service allows a programmer to create threads of code that execute independently. If this feature is being used, the maximum number of threads should be tuned. If set too high, this may lead to a context-switching situation. When this feature is not in use, the maximum number of threads must be 1.

Check Content

Verify that CFTHREAD settings are appropriately configured when threading is not used by hosted applications. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. 2. Confirm with the administrator whether any hosted applications are using CFTHREAD for multithreading. If CFTHREAD is in use, this is not a finding. 3. If CFTHREAD is not used, verify that "Maximum number of threads available for CFTHREAD" is set to "1" to effectively disable threading. If CFTHREAD is not used, and the "Maximum number of threads available for CFTHREAD" is set to a value other than "1", this is a finding.

Fix Text

Configure CFTHREAD settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. 2. Set Maximum number of threads available for CFTHREAD to "1" to disable unnecessary threading. 3. Click "Submit Changes".

Additional Identifiers

Rule ID: SV-279080r1171402_rule

Vulnerability ID: V-279080

Group Title: SRG-APP-000435-AS-000163

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.