STIGQter: STIG Summary: Adobe ColdFusion 11 Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 26 Jan 2018:

ColdFusion must be set to automatically check for updates.

DISA Rule

SV-77033r1_rule

Vulnerability Number

V-62543

Group Title

SRG-APP-000456-AS-000266

Rule Version

CF11-06-000226

Severity

CAT III

CCI(s)

• CCI-002605 - The organization installs security-relevant software updates within an organization-defined time period of the release of the updates.

Weight

10

Fix Recommendation

If the ColdFusion server has access to a patch repository, navigate to the "Updates" page under the "Server Updates" menu. Select the "Settings" tab and check the "Automatically Check for Updates" setting and select the "Submit Changes" button.

If the ColdFusion server does not have access to a patch repository, document the process to check for updates. The documented process must include location and how often.

Check Contents

Determine if the ColdFusion server has access to either the Adobe patch repository or an internally maintained patch repository. This may be determined by interviewing the administrator or by reviewing ColdFusion baseline documentation.

If the ColdFusion server has access to a patch repository, the server must check for updates. To verify that the server is checking for updates, within the Administrator Console, navigate to the "Updates" page under the "Server Updates" menu. Select the "Settings" tab and verify that the "Automatically Check for Updates" is checked.

If the ColdFusion server has access to either the Adobe patch repository or an internally maintained patch repository and "Automatically Check for Updates" is not checked, this is a finding.

If the ColdFusion server does not have access to Adobe or an internally maintained patch repository, then a manual process must be documented to check for updates. The documented process must include the location and how often to check for updates.

If the process is not documented or the documented process does not include location and frequency, this is a finding.

Vulnerability Number

V-62543

Documentable

False

Rule Version

CF11-06-000226

Severity Override Guidance

Determine if the ColdFusion server has access to either the Adobe patch repository or an internally maintained patch repository. This may be determined by interviewing the administrator or by reviewing ColdFusion baseline documentation.

If the ColdFusion server has access to a patch repository, the server must check for updates. To verify that the server is checking for updates, within the Administrator Console, navigate to the "Updates" page under the "Server Updates" menu. Select the "Settings" tab and verify that the "Automatically Check for Updates" is checked.

If the ColdFusion server has access to either the Adobe patch repository or an internally maintained patch repository and "Automatically Check for Updates" is not checked, this is a finding.

If the ColdFusion server does not have access to Adobe or an internally maintained patch repository, then a manual process must be documented to check for updates. The documented process must include the location and how often to check for updates.

If the process is not documented or the documented process does not include location and frequency, this is a finding.

Check Content Reference

M

Target Key

2661

Comments