STIGQter: STIG Summary: Adobe ColdFusion 11 Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 26 Jan 2018:

The ColdFusion error messages must be restricted to only authorized users.

DISA Rule

SV-77025r1_rule

Vulnerability Number

V-62535

Group Title

SRG-APP-000267-AS-000170

Rule Version

CF11-06-000222

Severity

CAT II

CCI(s)

• CCI-001314 - The information system reveals error messages only to organization-defined personnel or roles.

Weight

10

Fix Recommendation

Navigate to the "User Manager" page under the "Security" menu. Remove the "Debugging and Logging>Logging" role from each user that should not have access to read error messages.

Check Contents

Within the Administrator Console, navigate to the "User Manager" page under the "Security" menu. Review each defined user and ask the SA if the user should have access to read error messages. For each user that should not be able to read error messages, review the roles assigned to the user account.

If any user has the Debugging and Logging>Logging role that should not be able to read error messages, this is a finding.

Vulnerability Number

V-62535

Documentable

False

Rule Version

CF11-06-000222

Severity Override Guidance

Within the Administrator Console, navigate to the "User Manager" page under the "Security" menu. Review each defined user and ask the SA if the user should have access to read error messages. For each user that should not be able to read error messages, review the roles assigned to the user account.

If any user has the Debugging and Logging>Logging role that should not be able to read error messages, this is a finding.

Check Content Reference

M

Target Key

2661

Comments