The ColdFusion built-in TomCat Web Server must be disabled.

From Adobe ColdFusion 11 Security Technical Implementation Guide

Part of SRG-APP-000141-AS-000095

Associated with: CCI-000381

SV-76911r1_rule The ColdFusion built-in TomCat Web Server must be disabled.

Vulnerability discussion

Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. The built-in TomCat Web Server is used to host the Administrator Console and is used for initial setup. While the built-in server can be used to continually host the Administrator Console, this is not the best practice since the server is not guaranteed to be patched and upgraded, implementing TLS is not well documented, allowing for poor implementations, and commercial web servers offer better logging. To enable the Administrator Console to still operate and disable the built-in TomCat Web Server, the Administrator Console application must be moved to the web server (i.e., IIS, Apache, IBM HTTP Server, etc.) hosting the ColdFusion applications. Moving the Administrator Console to Apache and IIS is well documented in the Adobe ColdFusion Lockdown Guide.

Check content

Locate the server.xml file for ColdFusion. This file can usually be located under the ColdFusion installation directory under the runtime/conf directory for Linux and runtime\conf for Windows. Within the server.xml file, locate the xml line: Note: port="8500" is the port the Administrator Console was hosted on. The port is defined during the install and can be changed from the default of 8500, so this parameter may be different if an alternate port was assigned. If the line exists and is not commented out (XML comments start with , e.g., ), this is a finding.

Fix text

Locate the server.xml file for ColdFusion. This file can usually be located under the ColdFusion installation directory under the runtime/conf directory for Linux and runtime\conf for Windows. After making a backup of this file, edit the file and locate the following xml line: Note: port="8500" is the port the Administrator Console was hosted on. The port is setup at install and can be changed, so this parameter may be different in this line. This line can be deleted or using XML syntax can be commented out of the configuration. XML comment syntax starts with , e.g., .

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer