Title

ColdFusion must limit the maximum number of Web Service requests. (Cat II impact)

Discussion

Unrestricted web service request handling in ColdFusion can lead to resource exhaustion, degraded performance, or denial-of-service (DoS) conditions. Web services are common targets for automated attacks, excessive load, or abuse through scripted queries and recursive payloads. If there is no limit on the number of web service requests a ColdFusion server will process, an attacker may overwhelm system resources such as memory, CPU, or network bandwidth, leading to service disruption. Limiting the maximum number of allowable web service requests per session, per client, or per time interval helps enforce resource control, prevent abuse, and maintain application availability. It also ensures that ColdFusion can prioritize legitimate traffic and maintain performance under heavy load. Applying limits on web service request volume reduces the attack surface and aligns with secure coding practices by ensuring application functionality is intentionally constrained to support operational requirements without exposing the system to unnecessary risk.

Check Content

Determine Web Services usage. 1. Interview the system administrator (SA), and/or review any of the following documentation: - Hosted application source code. - Hosted application design documentation. - Published web services design documentation. - ColdFusion baseline documentation. 2. Confirm whether Web Services are published by any hosted applications. If Web Services are being published, this requirement is not a finding. 3. If Web Services are not being published, from the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. 4. Locate the "Maximum number of simultaneous Web Service requests" setting and verify the value is set to "1". If Web Services are not in use and the value is not set to "1", this is a finding.

Fix Text

Configure Web Services usage. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Request Tuning. 2. Locate the "Maximum number of simultaneous Web Service requests" setting. 3. Set the value to "1" to prevent unnecessary web service threads. 4. Click "Submit Changes" to save the configuration.

Additional Identifiers

Rule ID: SV-279081r1171481_rule

Vulnerability ID: V-279081

Group Title: SRG-APP-000435-AS-000163

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.