STIGQter STIGQter: STIG Summary: Adobe ColdFusion 11 Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 26 Jan 2018:

ColdFusion must have notifications enabled when a server update is available.

DISA Rule

SV-77035r1_rule

Vulnerability Number

V-62545

Group Title

SRG-APP-000456-AS-000266

Rule Version

CF11-06-000227

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

If the ColdFusion server has access to a patch repository, navigate to the "Updates" page under the "Server Updates" menu. Select the "Settings" tab and check the "Check for updates every" setting, enter a value greater than 0 for the "days" setting, and enter email addresses for notification. Select the "Submit Changes" button to save the new settings.

If the ColdFusion server does not have access to a patch repository, document the process to enroll into the Adobe patch notification service and enroll all administrators in the notification service.

Check Contents

Determine if the ColdFusion server has access to either the Adobe patch repository or an internally maintained patch repository. This may be determined by interviewing the administrator or by reviewing ColdFusion baseline documentation.

If the ColdFusion server has access to a patch repository, the server must notify administrators when updates are available. To verify that the server is notifying administrators, within the Administrator Console, navigate to the "Updates" page under the "Server Updates" menu. Select the "Settings" tab and verify that the "Check for updates every" is checked, that a positive value is entered for the "days" value and that at least one email address is entered for notification.

If "Check for updates every" is not checked, the "days" value is empty or less than 1, or the "If updates are available, send email notification to" parameter is empty, this is a finding.

If the ColdFusion server does not have access to a patch repository, then a documented notification process must be in place along with the administrator's enrollment in the Adobe automated patch notification service. To validate enrollment, a verification email or patch notification email can be used.

If the administrators are not enrolled in the Adobe patch notification service or the process is not documented, this is a finding.

Vulnerability Number

V-62545

Documentable

False

Rule Version

CF11-06-000227

Severity Override Guidance

Determine if the ColdFusion server has access to either the Adobe patch repository or an internally maintained patch repository. This may be determined by interviewing the administrator or by reviewing ColdFusion baseline documentation.

If the ColdFusion server has access to a patch repository, the server must notify administrators when updates are available. To verify that the server is notifying administrators, within the Administrator Console, navigate to the "Updates" page under the "Server Updates" menu. Select the "Settings" tab and verify that the "Check for updates every" is checked, that a positive value is entered for the "days" value and that at least one email address is entered for notification.

If "Check for updates every" is not checked, the "days" value is empty or less than 1, or the "If updates are available, send email notification to" parameter is empty, this is a finding.

If the ColdFusion server does not have access to a patch repository, then a documented notification process must be in place along with the administrator's enrollment in the Adobe automated patch notification service. To validate enrollment, a verification email or patch notification email can be used.

If the administrators are not enrolled in the Adobe patch notification service or the process is not documented, this is a finding.

Check Content Reference

M

Target Key

2661

Comments