Title

The ColdFusion file ownership and permissions must be restricted to prevent unauthorized access to log tools. (Cat III impact)

Discussion

Log management tools within ColdFusion provide access to view, analyze, and sometimes modify application log data. If file ownership and permissions for these tools are not properly restricted, unauthorized users could gain access to audit logs, modify or delete critical records, or bypass detection mechanisms. This not only compromises the integrity and availability of audit data but also undermines the organization's ability to detect and respond to security incidents. Properly assigning file ownership and enforcing least privilege permissions ensures that only authorized administrators or service accounts have access to these tools. This reduces the risk of log tampering or exposure of sensitive information. Satisfies: SRG-APP-000121-AS-000081, SRG-APP-000122-AS-000082, SRG-APP-000123-AS-000083

Check Content

For ColdFusion running on Windows: 1. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf <ColdFusion_Installation_Directory>\cfusion\runtime\lib 2. The logs directory and all files within it must have Full Control granted to the Administrators group and the user account running the ColdFusion service. If any directory or file permissions do not meet this requirement, this is a finding. For ColdFusion running on Linux: 1. Navigate to: <ColdFusion_Installation_Directory>/cfusion/runtime/conf <ColdFusion_Installation_Directory>/cfusion/runtime/lib 2. The logs tools directory and all files within it must have: - "Owner" set to the user running ColdFusion. - "Group ownership" set to root. - "Permissions" set to 640 or more restrictive. If ownership or permissions do not meet this requirement, this is a finding.

Fix Text

For ColdFusion running on Windows: 1. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf <ColdFusion_Installation_Directory>\cfusion\runtime\lib 2. Right-click the directory and select "Properties". 3. Click the Security tab and then click "Advanced". 4. On the Permissions tab, click "Disable inheritance" and select "Remove all inherited permissions from this object". 5. Click "Add". a. In the Permission Entry dialog, click "Select a principal". b. Enter the user account running the ColdFusion service. c. Grant Full Control and click "OK". 6. Click "Add" again. a. In the Permission Entry dialog, click "Select a principal". b. Enter the Administrators group. c. Grant Full Control and click "OK". 7. Check "Replace all child object permission entries with inheritable permission entries from this object". 8. Click "OK" to apply the permissions. For ColdFusion running on Linux: Set ownership and permissions using the following commands, replacing the path and user as appropriate: chown -R <cfuser>:root <ColdFusion_Installation_Directory>/cfusion/runtime/conf chown -R <cfuser>:root <ColdFusion_Installation_Directory>/cfusion/runtime/lib chmod -R 640 <ColdFusion_Installation_Directory>/cfusion/runtime/conf chmod -R 640 <ColdFusion_Installation_Directory>/cfusion/runtime/lib

Additional Identifiers

Rule ID: SV-279037r1171603_rule

Vulnerability ID: V-279037

Group Title: SRG-APP-000121-AS-000081

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.