STIGQter: STIG Summary: Adobe ColdFusion 11 Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 26 Jan 2018:

ColdFusion must encrypt patch retrieval.

DISA Rule

SV-77005r1_rule

Vulnerability Number

V-62515

Group Title

SRG-APP-000440-AS-000167

Rule Version

CF11-05-000198

Severity

CAT II

CCI(s)

• CCI-002421 - The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.

Weight

10

Fix Recommendation

If the Administrator Console is used for patch retrieval, navigate to the "Updates" page under the "Server Update" menu within the console. Locate the "Site URL" setting on the "Settings" tab. Update the URL used for updates to be prefixed with https:// so that the communication is encrypted and select the "Submit Changes" button.

If a manual process is used to retrieve patches, document the process to retrieve the patches that uses an encrypted method to download the patches, e.g., VPN tunneling, Secure Copy (SCP), etc.

Check Contents

If the Administrator Console is used to perform patch retrieval, navigate to the "Updates" page under the "Server Update" menu within the console and review the setting "Site URL" within the "Settings" tab.

If the URL is not prefixed by https://, this is a finding.

If a manual process is used to retrieve patches, verify that a documented process is in place that includes using an encrypted method to download the patches, e.g., VPN tunneling, Secure Copy (SCP), etc.

If there is not a documented process or the process does not include an encrypted method to download patches, this is a finding.

Vulnerability Number

V-62515

Documentable

False

Rule Version

CF11-05-000198

Severity Override Guidance

If the Administrator Console is used to perform patch retrieval, navigate to the "Updates" page under the "Server Update" menu within the console and review the setting "Site URL" within the "Settings" tab.

If the URL is not prefixed by https://, this is a finding.

If a manual process is used to retrieve patches, verify that a documented process is in place that includes using an encrypted method to download the patches, e.g., VPN tunneling, Secure Copy (SCP), etc.

If there is not a documented process or the process does not include an encrypted method to download patches, this is a finding.

Check Content Reference

M

Target Key

2661

Comments