STIGQter STIGQter: STIG Summary: Adobe ColdFusion 11 Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 26 Jan 2018:

ColdFusion must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.

DISA Rule

SV-76999r1_rule

Vulnerability Number

V-62509

Group Title

SRG-APP-000439-AS-000155

Rule Version

CF11-05-000195

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Navigate to the "JVM arguments" setting within the Administrator Console. These arguments can be found in the "Java and JVM" page accessed through the "Server Settings" menu option. Add the parameter -Dhttps.protocols and set the parameter to the TLS versions to be used. A sample setting to use TLSv1.2, TLSv1.1 and TLSv1 is -Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1. SSL versions must not be added to this parameter. Once the parameter is added to the JVM arguments, select the "Submit Changes" button to save the changes and restart the ColdFusion application server to have the changes take effect.

Check Contents

Review the setting "JVM arguments" within the Administrator Console. These arguments can be found in the "Java and JVM" page accessed through the "Server Settings" menu option. The parameter -Dhttps.protocols is used to set the TLS versions that the JVM can use. Valid values for this setting must be TLS versions 1.0 or higher. An example settings to use TLS versions 1.2, 1.1 and 1.0 is -Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1 and an example to only use TLS version 1.2 is -Dhttps.protocols=TLSv1.2

If the "JVM arguments" setting does not contain the parameter -Dhttps.protocols or if the parameter -Dhttps.protocols contains any SSL versions, this is a finding.

Vulnerability Number

V-62509

Documentable

False

Rule Version

CF11-05-000195

Severity Override Guidance

Review the setting "JVM arguments" within the Administrator Console. These arguments can be found in the "Java and JVM" page accessed through the "Server Settings" menu option. The parameter -Dhttps.protocols is used to set the TLS versions that the JVM can use. Valid values for this setting must be TLS versions 1.0 or higher. An example settings to use TLS versions 1.2, 1.1 and 1.0 is -Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1 and an example to only use TLS version 1.2 is -Dhttps.protocols=TLSv1.2

If the "JVM arguments" setting does not contain the parameter -Dhttps.protocols or if the parameter -Dhttps.protocols contains any SSL versions, this is a finding.

Check Content Reference

M

Target Key

2661

Comments