STIGQter: STIG Summary: Adobe ColdFusion 11 Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 26 Jan 2018:

ColdFusion must protect software libraries from being changed by OS users.

DISA Rule

SV-76893r1_rule

Vulnerability Number

V-62403

Group Title

SRG-APP-000133-AS-000092

Rule Version

CF11-03-000093

Severity

CAT II

CCI(s)

• CCI-001499 - The organization limits privileges to change software resident within software libraries.

Weight

10

Fix Recommendation

Locate the hf-updates directory for ColdFusion. The hf-updates directory should have the following permissions:

ColdFusion running on Windows:
1. Right click on the "hf-updates" directory and select "Properties".
2. Click on the "Security" tab and then click the "Advanced" button.
3. On the "Permissions" tab, click the "Disable inheritance" button and select "Remove all inherited permissions from this object."
4. Click the "Add" button, in the permission Entry dialog, click "Select a principal."
5. Enter the user that is running the ColdFusion service and give this user Full control and click "OK" to save.
6. Click the "Add" button again, in the permission Entry dialog, click "Select a principal."
7. Enter the Administrators group and give the group Full control and click "OK" to save.
8. Check the checkbox to "Replace all child object permission entries with inheritable permission entries from this object."
9. Click "OK" to apply these permissions.

ColdFusion running on Linux:
Use the chmod command to set the permissions correctly and chown to set the owner and group. For example, if the hf-updates directory is found at /opt/cf11/cfusion/hf-updates and you want to set the owner to cfuser, the commands would be:
chown cfuser:root /opt/cf11/cfusion/hf-updates
chmod 750 /opt/cf11/cfusion/hf-updates

Check Contents

Locate the hf-updates directory for ColdFusion. Review the permissions on the hf-updates directory. ColdFusion running on Windows should have full control for the Administrators group and the user running the ColdFusion application. No other users or groups should have permissions.

If permissions are granted to other users or groups, this is a finding.

If ColdFusion is installed on Linux, the permissions must be "750" or more restrictive with the owner set to the user running the ColdFusion service and a group of root.

If the permissions are more permissive, this is a finding.

Vulnerability Number

V-62403

Documentable

False

Rule Version

CF11-03-000093

Severity Override Guidance

Locate the hf-updates directory for ColdFusion. Review the permissions on the hf-updates directory. ColdFusion running on Windows should have full control for the Administrators group and the user running the ColdFusion application. No other users or groups should have permissions.

If permissions are granted to other users or groups, this is a finding.

If ColdFusion is installed on Linux, the permissions must be "750" or more restrictive with the owner set to the user running the ColdFusion service and a group of root.

If the permissions are more permissive, this is a finding.

Check Content Reference

M

Target Key

2661

Comments