kriterion 0.0.1

data/standards/stig_adobe_acrobat_reader_dc_classic_track.json

@@ -0,0 +1,179 @@
+{
+  "name": "stig_adobe_acrobat_reader_dc_classic_track",
+  "date": "2018-03-14",
+  "description": "This Security Technical Implementation Guide is published as a\ntool to improve the security of Department of Defense (DoD) information\nsystems. The requirements are derived from the National Institute of\nStandards and Technology (NIST) 800-53 and related documents. Comments or\nproposed revisions to this document should be sent via e-mail to the\nfollowing address: disa.stig_spt@mail.mil.",
+  "title": "Adobe Acrobat Reader DC Classic Track Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-65729",
+      "title": "Adobe Reader DC must enable Enhanced Security in a Standalone Application.",
+      "description": "PDFs have evolved from static pages to complex documents with features such as interactive forms, multimedia content, scripting, and other capabilities. These features leave PDFs vulnerable to malicious scripts or actions that can damage the computer or steal data. The Enhanced security feature protects the computer against these threats by blocking or selectively permitting actions for trusted locations and files.\n\nEnhanced Security determines if a PDF is viewed within a standalone application. A threat to users of Adobe Reader DC is opening a PDF file that contains malicious executable content.\n\nEnhanced Security “hardens” the application against risky actions: prevents cross domain access, prohibits script and data injection, blocks stream access to XObjects, silent printing, and execution of high privilege JavaScript.\n\nSatisfies: SRG-APP-000112, SRG-APP-000206, SRG-APP-000207, SRG-APP-000209, SRG-APP-000210",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65735",
+      "title": "Adobe Reader DC must enable Enhanced Security in a Browser.",
+      "description": "PDFs have evolved from static pages to complex documents with features such as interactive forms, multimedia content, scripting, and other capabilities. These features leave PDFs vulnerable to malicious scripts or actions that can damage the computer or steal data. The Enhanced security feature protects the computer against these threats by blocking or selectively permitting actions for trusted locations and files.\n\nEnhanced Security determines if a PDF is viewed within a browser application. A threat to users of Adobe Reader DC is opening a PDF file that contains malicious executable content.\n\nEnhanced Security “hardens” the application against risky actions: prevents cross domain access, prohibits script and data injection, blocks stream access to XObjects, silent printing, and execution of high privilege JavaScript.\n\nSatisfies: SRG-APP-000112, SRG-APP-000206, SRG-APP-000207, SRG-APP-000209, SRG-APP-000210",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65737",
+      "title": "Adobe Reader DC must enable Protected Mode.",
+      "description": "A threat to users of Adobe Reader DC is opening a PDF file that contains malicious executable content.\n\nProtected mode provides a sandbox capability that prevents malicious PDF files from launching arbitrary executable files, writing to system directories or the Windows registry.\n\nThis isolation of the PDFs reduces the risk of security breaches in areas outside the sandbox.\n\nSatisfies: SRG-APP-000112, SRG-APP-000206, SRG-APP-000207, SRG-APP-000209, SRG-APP-000210",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65739",
+      "title": "Adobe Reader DC must enable Protected View.",
+      "description": "A threat to users of Adobe Reader DC is opening a PDF file that contains malicious executable content.\n\nProtected view restricts Adobe Reader DC functionality, within a sandbox, when a PDF is opened from an untrusted source.\n\nThis isolation of the PDFs reduces the risk of security breaches in areas outside the sandbox.\n\nSatisfies: SRG-APP-000112, SRG-APP-000206, SRG-APP-000207, SRG-APP-000209, SRG-APP-000210",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65767",
+      "title": "Adobe Reader DC must Block Websites.",
+      "description": "Clicking any link to the Internet poses a potential security risk. Malicious websites can transfer harmful content or silently gather data. Acrobat Reader documents can connect to websites which can pose a potential threat to DoD systems and that functionality must be blocked. However, PDF document workflows that are trusted (e.g., DoD-created) can benefit from leveraging legitimate website access with minimal risk. Therefore, the ISSO may approve of website access and accept the risk if the access provides benefit and is a trusted site or the risk associated with accessing the site has been mitigated.\n\nAdobe Reader must block access to all websites that are not specifically allowed by ISSO risk acceptance.\n\nSatisfies: SRG-APP-000112, SRG-APP-000206, SRG-APP-000207, SRG-APP-000209, SRG-APP-000210",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65769",
+      "title": "Adobe Reader DC must block access to Unknown Websites.",
+      "description": "Because Internet access is a potential security risk, clicking any unknown website link to the Internet poses a potential security risk.\n\nMalicious websites can transfer harmful content or silently gather data.\n\nSatisfies: SRG-APP-000112, SRG-APP-000206, SRG-APP-000207, SRG-APP-000209, SRG-APP-000210",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65771",
+      "title": "Adobe Reader DC must prevent opening files other than PDF or FDF.",
+      "description": "Attachments represent a potential security risk because they can contain malicious content, open other dangerous files, or launch applications. Certainly file types such as .bin, .exe, .bat, and so on will be recognized as threats.\n\nThis feature prevents users from opening or launching file types other than PDF or FDF and disables the menu option.\n\nSatisfies: SRG-APP-000112, SRG-APP-000206, SRG-APP-000207, SRG-APP-000209, SRG-APP-000210",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65775",
+      "title": "Adobe Reader DC must block Flash Content.",
+      "description": "Flash content is commonly hosted on a web page, but it can also be embedded in PDF and other documents. Flash could be used to surreptitious install malware on the end-users computer.\n\nFlash Content restricts Adobe Reader DC not to play Flash content within a PDF.\n\nSatisfies: SRG-APP-000112, SRG-APP-000206, SRG-APP-000207, SRG-APP-000209, SRG-APP-000210",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65777",
+      "title": "Adobe Reader DC must disable the ability to change the Default Handler.",
+      "description": "Allowing user to make changes to an application case cause a security risk.\n\nWhen the Default PDF Handler is disabled, the end users will not be able to change the default PDF viewer.",
+      "severity": "low"
+    },
+    {
+      "id": "V-65779",
+      "title": "Adobe Reader DC must disable the Adobe Send and Track plugin for Outlook.",
+      "description": "When enabled, Adobe Send and Track button appears in Outlook. When an email is composed it enables the ability to send large files as public links through Outlook. The attached files can be uploaded to the Adobe Document Cloud and public links to the files are inserted in the email body.",
+      "severity": "low"
+    },
+    {
+      "id": "V-65781",
+      "title": "Adobe Reader DC must disable all service access to Document Cloud Services.",
+      "description": "By default, Adobe online services are tightly integrated in Adobe Reader DC. With the integration of Adobe Document Cloud, disabling this feature prevents the risk of additional attack vectors.\n\nWithin Adobe Reader DC, the Adobe Cloud resources require a paid subscription for each service.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65783",
+      "title": "Adobe Reader DC must disable Cloud Synchronization.",
+      "description": "By default, Adobe online services are tightly integrated in Adobe Reader DC. When the Adobe Cloud synchronization is disabled it prevents the synchronization of desktop preferences across devices on which the user is signed in with an Adobe ID (including phones).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65785",
+      "title": "Adobe Reader DC must disable the Adobe Repair Installation.",
+      "description": "When Repair Installation is disabled the user does not have the option (Help Menu) or functional to repair an Adobe Reader DC install.",
+      "severity": "low"
+    },
+    {
+      "id": "V-65787",
+      "title": "Adobe Reader DC must disable 3rd Party Web Connectors.",
+      "description": "When 3rd Party Web Connectors are disabled it prevents the configuration of Adobe Reader DC access to third party services for file storage.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65789",
+      "title": "Adobe Reader DC must disable Adobe Send for Signature.",
+      "description": "The Adobe Document Cloud sign service allows users to send documents online for signature and sign from anywhere or any device. The signed documents are stored in the Adobe Cloud. The Adobe Document Cloud sign service is a paid subscription.\n\nWhen Adobe Send for Signature is disabled users will not be allowed to utilize the Adobe Document Cloud sign function.",
+      "severity": "low"
+    },
+    {
+      "id": "V-65791",
+      "title": "Adobe Reader DC must disable access to Webmail.",
+      "description": "When Webmail is disabled the user cannot configure a webmail account to send an open PDF document as an attachment. Users should have the ability to send documents as Microsoft Outlook attachments. The difference is that Outlook must be configured by the administrator on the local machine.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65793",
+      "title": "Adobe Reader DC must disable Online SharePoint Access.",
+      "description": "Disabling SharePoint disables or removes the user’s ability to add a SharePoint account access controls the application's ability to detect that a file came from a SharePoint server, and disables the check-out prompt.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65795",
+      "title": "Adobe Reader DC must disable the Adobe Welcome Screen.",
+      "description": "The Adobe Reader DC Welcome screen can be distracting and also has online links to the Adobe quick tips website, tutorials, blogs and community forums.\n\nWhen the Adobe Reader DC Welcome screen is disabled the Welcome screen will not be populated on application startup.",
+      "severity": "low"
+    },
+    {
+      "id": "V-65797",
+      "title": "Adobe Reader DC must disable Service Upgrades.",
+      "description": "By default, Adobe online services are tightly integrated into Adobe Reader DC. Disabling Service Upgrades disables both updates to the product's web-plugin components as well as all services without exception, including any online sign-in screen.",
+      "severity": "low"
+    },
+    {
+      "id": "V-65799",
+      "title": "Adobe Reader DC must disable the ability to elevate IE Trusts to Privileged Locations.",
+      "description": "Privileged Locations allow the user to selectively trust files, folders, and hosts to bypass some security restrictions, such as enhanced security and protected view. By default, the user can create privileged locations through the GUI.\n\nDisabling IE Trusts to Privileged Locations disables and locks the end user's ability to treat IE trusted sites as a privileged location prevents them from assigning trust and thereby exempting that location from enhanced security restrictions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65801",
+      "title": "Adobe Reader DC must disable the ability to add Trusted Files and Folders.",
+      "description": "Privileged Locations allow the user to selectively trust files, folders, and hosts to bypass some security restrictions, such as enhanced security and protected view. By default, the user can create privileged locations through the GUI.\n\nDisabling Trusted Files and Folders disables and locks the end user's ability to add folders and files as a privileged location prevents them from assigning trust and thereby exempting that location from enhanced security restrictions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65803",
+      "title": "Adobe Reader DC must disable the ability to specify Host-Based Privileged Locations.",
+      "description": "Privileged Locations allow the user to selectively trust files, folders, and hosts to bypass some security restrictions, such as enhanced security and protected view. By default, the user can create privileged locations through the GUI.\n\nDisabling Host-Based Privileged Locations disables and locks the end user's ability to add hosts as a privileged location prevents them from assigning trust and thereby exempting that location from enhanced security restrictions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65805",
+      "title": "Adobe Reader DC must disable the ability to elevate (trusts) certified documents as a Privileged Location.",
+      "description": "Privileged Locations allow the user to selectively trust files, folders, and hosts to bypass some security restrictions, such as enhanced security and protected view. By default, the user can create privileged locations through the GUI.\n\nDisabling certified documents disables and locks the end user's ability to elevate certified documents as a privileged location.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65807",
+      "title": "Adobe Reader DC must disable periodical uploading of European certificates.",
+      "description": "By default, the user can update European certificates from an Adobe server through the GUI.\n\nWhen uploading European certificates is disabled, it prevents the automatic download and installation of certificates and disables and locks the end user's ability to upload those certificates.",
+      "severity": "low"
+    },
+    {
+      "id": "V-65809",
+      "title": "Adobe Reader DC must disable periodical uploading of Adobe certificates.",
+      "description": "By default, the user can update Adobe certificates from an Adobe server through the GUI.\n\nWhen uploading Adobe certificates is disabled, it prevents the automatic download and installation of certificates and disables and locks the end user's ability to upload those certificates.",
+      "severity": "low"
+    },
+    {
+      "id": "V-65811",
+      "title": "Adobe Reader DC must have the latest Security-related Software Updates installed.",
+      "description": "Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.\n\nOrganization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).\n\nThis requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality, will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period utilized must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.\n\nThe application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).",
+      "severity": "high"
+    },
+    {
+      "id": "V-65813",
+      "title": "Adobe Reader DC must enable FIPS mode.",
+      "description": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65815",
+      "title": "Adobe Reader DC must disable Acrobat Upsell.",
+      "description": "Products that don’t provide the full set of features by default provide the user the opportunity to upgrade. Acrobat Upsell displays message which encourage the user to upgrade the product. For example, Reader users can purchase additional tools and features, and Acrobat Reader users can upgrade to Acrobat Professional.",
+      "severity": "low"
+    }
+  ]
+}

data/standards/stig_adobe_acrobat_reader_dc_continuous_track.json

@@ -0,0 +1,179 @@
+{
+  "name": "stig_adobe_acrobat_reader_dc_continuous_track",
+  "date": "2018-03-14",
+  "description": "This Security Technical Implementation Guide is published as a\ntool to improve the security of Department of Defense (DoD) information\nsystems. The requirements are derived from the National Institute of\nStandards and Technology (NIST) 800-53 and related documents. Comments or\nproposed revisions to this document should be sent via e-mail to the\nfollowing address: disa.stig_spt@mail.mil.",
+  "title": "Adobe Acrobat Reader DC Continuous Track Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-64919",
+      "title": "Adobe Reader DC must enable Enhanced Security in a Standalone Application.",
+      "description": "PDFs have evolved from static pages to complex documents with features such as interactive forms, multimedia content, scripting, and other capabilities. These features leave PDFs vulnerable to malicious scripts or actions that can damage the computer or steal data. The Enhanced security feature protects the computer against these threats by blocking or selectively permitting actions for trusted locations and files.\n\nEnhanced Security determines if a PDF is viewed within a standalone application. A threat to users of Adobe Reader DC is opening a PDF file that contains malicious executable content.\n\nEnhanced Security “hardens” the application against risky actions: prevents cross domain access, prohibits script and data injection, blocks stream access to XObjects, silent printing, and execution of high privilege JavaScript.\n\nSatisfies: SRG-APP-000112, SRG-APP-000206, SRG-APP-000207, SRG-APP-000209, SRG-APP-000210",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64921",
+      "title": "Adobe Reader DC must enable Enhanced Security in a Browser.",
+      "description": "PDFs have evolved from static pages to complex documents with features such as interactive forms, multimedia content, scripting, and other capabilities. These features leave PDFs vulnerable to malicious scripts or actions that can damage the computer or steal data. The Enhanced security feature protects the computer against these threats by blocking or selectively permitting actions for trusted locations and files.\n\nEnhanced Security determines if a PDF is viewed within a browser application. A threat to users of Adobe Reader DC is opening a PDF file that contains malicious executable content.\n\nEnhanced Security “hardens” the application against risky actions: prevents cross domain access, prohibits script and data injection, blocks stream access to XObjects, silent printing, and execution of high privilege JavaScript.\n\nSatisfies: SRG-APP-000112, SRG-APP-000206, SRG-APP-000207, SRG-APP-000209, SRG-APP-000210",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64923",
+      "title": "Adobe Reader DC must enable Protected Mode.",
+      "description": "A threat to users of Adobe Reader DC is opening a PDF file that contains malicious executable content.\n\nProtected mode provides a sandbox capability that prevents malicious PDF files from launching arbitrary executable files, writing to system directories or the Windows registry.\n\nThis isolation of the PDFs reduces the risk of security breaches in areas outside the sandbox.\n\nSatisfies: SRG-APP-000112, SRG-APP-000206, SRG-APP-000207, SRG-APP-000209, SRG-APP-000210",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64925",
+      "title": "Adobe Reader DC must enable Protected View.",
+      "description": "A threat to users of Adobe Reader DC is opening a PDF file that contains malicious executable content.\n\nProtected view restricts Adobe Reader DC functionality, within a sandbox, when a PDF is opened from an untrusted source.\n\nThis isolation of the PDFs reduces the risk of security breaches in areas outside the sandbox.\n\nSatisfies: SRG-APP-000112, SRG-APP-000206, SRG-APP-000207, SRG-APP-000209, SRG-APP-000210",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64927",
+      "title": "Adobe Reader DC must Block Websites.",
+      "description": "Clicking any link to the Internet poses a potential security risk. Malicious websites can transfer harmful content or silently gather data. Acrobat Reader documents can connect to websites which can pose a potential threat to DoD systems and that functionality must be blocked. However, PDF document workflows that are trusted (e.g., DoD-created) can benefit from leveraging legitimate website access with minimal risk. Therefore, the ISSO may approve of website access and accept the risk if the access provides benefit and is a trusted site or the risk associated with accessing the site has been mitigated.\n\nAdobe Reader must block access to all websites that are not specifically allowed by ISSO risk acceptance.\n\nSatisfies: SRG-APP-000112, SRG-APP-000206, SRG-APP-000207, SRG-APP-000209, SRG-APP-000210",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64929",
+      "title": "Adobe Reader DC must block access to Unknown Websites.",
+      "description": "Because Internet access is a potential security risk, clicking any unknown website link to the Internet poses a potential security risk.\n\nMalicious websites can transfer harmful content or silently gather data.\n\nSatisfies: SRG-APP-000112, SRG-APP-000206, SRG-APP-000207, SRG-APP-000209, SRG-APP-000210",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64931",
+      "title": "Adobe Reader DC must prevent opening files other than PDF or FDF.",
+      "description": "Attachments represent a potential security risk because they can contain malicious content, open other dangerous files, or launch applications. Certainly file types such as .bin, .exe, .bat, and so on will be recognized as threats.\n\nThis feature prevents users from opening or launching file types other than PDF or FDF and disables the menu option.\n\nSatisfies: SRG-APP-000112, SRG-APP-000206, SRG-APP-000207, SRG-APP-000209, SRG-APP-000210",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64933",
+      "title": "Adobe Reader DC must block Flash Content.",
+      "description": "Flash content is commonly hosted on a web page, but it can also be embedded in PDF and other documents. Flash could be used to surreptitious install malware on the end-users computer.\n\nFlash Content restricts Adobe Reader DC not to play Flash content within a PDF.\n\nSatisfies: SRG-APP-000112, SRG-APP-000206, SRG-APP-000207, SRG-APP-000209, SRG-APP-000210",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64935",
+      "title": "Adobe Reader DC must disable the ability to change the Default Handler.",
+      "description": "Allowing user to make changes to an application case cause a security risk.\n\nWhen the Default PDF Handler is disabled, the end users will not be able to change the default PDF viewer.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64937",
+      "title": "Adobe Reader DC must disable the Adobe Send and Track plugin for Outlook.",
+      "description": "When enabled, Adobe Send and Track button appears in Outlook. When an email is composed it enables the ability to send large files as public links through Outlook. The attached files can be uploaded to the Adobe Document Cloud and public links to the files are inserted in the email body.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64939",
+      "title": "Adobe Reader DC must disable all service access to Document Cloud Services.",
+      "description": "By default, Adobe online services are tightly integrated in Adobe Reader DC. With the integration of Adobe Document Cloud, disabling this feature prevents the risk of additional attack vectors.\n\nWithin Adobe Reader DC, the Adobe Cloud resources require a paid subscription for each service.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64941",
+      "title": "Adobe Reader DC must disable Cloud Synchronization.",
+      "description": "By default, Adobe online services are tightly integrated in Adobe Reader DC. When the Adobe Cloud synchronization is disabled it prevents the synchronization of desktop preferences across devices on which the user is signed in with an Adobe ID (including phones).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64943",
+      "title": "Adobe Reader DC must disable the Adobe Repair Installation.",
+      "description": "When Repair Installation is disabled the user does not have the option (Help Menu) or functional to repair an Adobe Reader DC install.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64945",
+      "title": "Adobe Reader DC must disable 3rd Party Web Connectors.",
+      "description": "When 3rd Party Web Connectors are disabled it prevents the configuration of Adobe Reader DC access to third party services for file storage.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64947",
+      "title": "Adobe Reader DC must disable Adobe Send for Signature.",
+      "description": "The Adobe Document Cloud sign service allows users to send documents online for signature and sign from anywhere or any device. The signed documents are stored in the Adobe Cloud. The Adobe Document Cloud sign service is a paid subscription.\n\nWhen Adobe Send for Signature is disabled users will not be allowed to utilize the Adobe Document Cloud sign function.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64949",
+      "title": "Adobe Reader DC must disable access to Webmail.",
+      "description": "When Webmail is disabled the user cannot configure a webmail account to send an open PDF document as an attachment. Users should have the ability to send documents as Microsoft Outlook attachments. The difference is that Outlook must be configured by the administrator on the local machine.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64951",
+      "title": "Adobe Reader DC must disable Online SharePoint Access.",
+      "description": "Disabling SharePoint disables or removes the user’s ability to add a SharePoint account access controls the application's ability to detect that a file came from a SharePoint server, and disables the check-out prompt.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64953",
+      "title": "Adobe Reader DC must disable the Adobe Welcome Screen.",
+      "description": "The Adobe Reader DC Welcome screen can be distracting and also has online links to the Adobe quick tips website, tutorials, blogs and community forums.\n\nWhen the Adobe Reader DC Welcome screen is disabled the Welcome screen will not be populated on application startup.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64955",
+      "title": "Adobe Reader DC must disable Service Upgrades.",
+      "description": "By default, Adobe online services are tightly integrated into Adobe Reader DC. Disabling Service Upgrades disables both updates to the product's web-plugin components as well as all services without exception, including any online sign-in screen.",
+      "severity": "low"
+    },
+    {
+      "id": "V-65665",
+      "title": "Adobe Reader DC must disable the ability to specify Host-Based Privileged Locations.",
+      "description": "Privileged Locations allow the user to selectively trust files, folders, and hosts to bypass some security restrictions, such as enhanced security and protected view. By default, the user can create privileged locations through the GUI.\n\nDisabling Host-Based Privileged Locations disables and locks the end user's ability to add hosts as a privileged location prevents them from assigning trust and thereby exempting that location from enhanced security restrictions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65667",
+      "title": "Adobe Reader DC must disable the ability to add Trusted Files and Folders.",
+      "description": "Privileged Locations allow the user to selectively trust files, folders, and hosts to bypass some security restrictions, such as enhanced security and protected view. By default, the user can create privileged locations through the GUI.\n\nDisabling Trusted Files and Folders disables and locks the end user's ability to add folders and files as a privileged location prevents them from assigning trust and thereby exempting that location from enhanced security restrictions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65669",
+      "title": "Adobe Reader DC must disable the ability to elevate IE Trusts to Privileged Locations.",
+      "description": "Privileged Locations allow the user to selectively trust files, folders, and hosts to bypass some security restrictions, such as enhanced security and protected view. By default, the user can create privileged locations through the GUI.\n\nDisabling IE Trusts to Privileged Locations disables and locks the end user's ability to treat IE trusted sites as a privileged location prevents them from assigning trust and thereby exempting that location from enhanced security restrictions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65671",
+      "title": "Adobe Reader DC must disable the ability to elevate (trusts) certified documents as a Privileged Location.",
+      "description": "Privileged Locations allow the user to selectively trust files, folders, and hosts to bypass some security restrictions, such as enhanced security and protected view. By default, the user can create privileged locations through the GUI.\n\nDisabling certified documents disables and locks the end user's ability to elevate certified documents as a privileged location.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-65673",
+      "title": "Adobe Reader DC must disable periodical uploading of European certificates.",
+      "description": "By default, the user can update European certificates from an Adobe server through the GUI.\n\nWhen uploading European certificates is disabled, it prevents the automatic download and installation of certificates and disables and locks the end user's ability to upload those certificates.",
+      "severity": "low"
+    },
+    {
+      "id": "V-65675",
+      "title": "Adobe Reader DC must disable periodical uploading of Adobe certificates.",
+      "description": "By default, the user can update Adobe certificates from an Adobe server through the GUI.\n\nWhen uploading Adobe certificates is disabled, it prevents the automatic download and installation of certificates and disables and locks the end user's ability to upload those certificates.",
+      "severity": "low"
+    },
+    {
+      "id": "V-65677",
+      "title": "Adobe Reader DC must have the latest Security-related Software Updates installed.",
+      "description": "Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.\n\nOrganization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).\n\nThis requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality, will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period utilized must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.\n\nThe application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).",
+      "severity": "high"
+    },
+    {
+      "id": "V-65679",
+      "title": "Adobe Reader DC must enable FIPS mode.",
+      "description": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66049",
+      "title": "Adobe Reader DC must disable Acrobat Upsell.",
+      "description": "Products that don't provide the full set of features by default provide the user the opportunity to upgrade. Acrobat Upsell displays message which encourage the user to upgrade the product. For example, Reader users can purchase additional tools and features, and Acrobat Reader users can upgrade to Acrobat Professional.",
+      "severity": "low"
+    }
+  ]
+}

data/standards/stig_adobe_coldfusion_11.json

@@ -0,0 +1,611 @@
+{
+  "name": "stig_adobe_coldfusion_11",
+  "date": "2017-12-31",
+  "description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
+  "title": "Adobe ColdFusion 11 Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-62075",
+      "title": "ColdFusion must limit concurrent sessions to the Administrator Console.",
+      "description": "The ColdFusion Administrator Console is used to manage the ColdFusion application server.  The console allows a user to configure settings used by hosted applications, maintain connections to external resources, review logs, etc.  By disallowing concurrent logons, a user has a method to determine if his account has been comprised (The user will be unable to log into the Administrator Console.) and deters a user from having an open idle session from different work stations which can also be used by an attacker.",
+      "severity": "low"
+    },
+    {
+      "id": "V-62349",
+      "title": "ColdFusion must use cryptography mechanisms to protect the integrity of data sent to the PDF Service.",
+      "description": "Protecting data being sent to the PDF Service for PDF document creation protects the data from being read or modified before the document is created and returned to the requesting application.  This protection can be implemented by using https over the plaintext transport protocol of http.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62351",
+      "title": "ColdFusion must implement cryptography mechanisms to protect the integrity of the remote access session.",
+      "description": "Protecting the data by not allowing unsecure non-FIPS 140-2 modules to be used and forcing FIPS 140-2 approved encryption modules limits the attack vector for an attacker.  Several attacks, such as the POODLE attack and variants of the POODLE attack, take advantage of forcing an https communication to back down to an unsecure encryption module allowing the attacker to then read the encrypted data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-62353",
+      "title": "ColdFusion must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.",
+      "description": "Controlling what a user can see or change is important within the ColdFusion application server.  Allowing non-privileged users to change administrative type data can cause errors within the system or DoS situations.  By forcing users to identify themselves and then tying roles to that identity, an individual is presented with only those options needed to perform their duties.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62355",
+      "title": "ColdFusion must automatically terminate a user session after user inactivity.",
+      "description": "An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process.\n\nTo thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a configured condition or trigger event is met.  Such an event is user inactivity.  ColdFusion offers an inactivity parameter that allows the setting of a system-wide timeout for sessions.  If this parameter is set too large, the usefulness of the parameter is lost.  Care must be taken to not allow sessions to be open longer than needed, but also not set so short that users are unable to use the hosted applications.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62357",
+      "title": "ColdFusion must set a maximum session time-out value.",
+      "description": "An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process.\n\nTo thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a configured condition or trigger event is met.  Such an event is user inactivity.  ColdFusion offers an inactivity parameter that allows the setting system-wide for session timeout.  ColdFusion also allows a developer to override the default timeout setting and set a new timeout.  To control how large a developer can set the timeout to, a maximum setting is provided.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62359",
+      "title": "ColdFusion must control remote access to the Administrator Console.",
+      "description": "Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements.  Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by logging connection activities of remote users.\n\nBy default, localhost and all IP addresses can access the Administrator Console.  Depending on the authentication method (i.e. single password, separate user name and password per user, or no authentication needed), any user from any network is capable of accessing the console and making changes to the server configuration relying only on the authentication method configured for the installation.  By limiting the IP addresses that can connect, the administration console can be hosted to a management network and only accessed via that network, further reducing the exposure of the Administrator Console.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62361",
+      "title": "ColdFusion must control remote access to Exposed Services.",
+      "description": "ColdFusion exposes many existing services as web services.  These services, such as cfpdf, cfmail, and cfpop, can be accessed by users and applications written in other languages and technologies than ColdFusion CFML.  To invoke the services, the client must be on the allowed IP list and have a user account with the proper privileges to the exposed services.  Exposing these services expands the security risk and potential for compromise of the ColdFusion application server.  If a need arises for these services, then the list of allowed IP addresses must be specified and limited to only those requiring access.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62363",
+      "title": "ColdFusion must control user access to Exposed Services.",
+      "description": "ColdFusion exposes many existing services as web services.  These services, such as cfpdf, cfmail and cfpop, can be accessed by users and applications written in other languages and technologies than ColdFusion CFML.  To invoke the services, the client must be on the allowed IP list and have a user account with the proper privileges to the exposed services.  Exposing these services expands the security risk and potential for compromise of the ColdFusion application server.  If a need arises for these services, then only those user accounts requiring access to perform the user's duties must be given access.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62365",
+      "title": "ColdFusion must require a username and password for access by each authorized user access.",
+      "description": "Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. \n\nNon-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. \n\nEnforcing non-repudiation of actions requires that each user be identified.  Without this identification, events cannot be traced to a user, and a forensic investigation cannot be conducted to determine what exactly happened and who caused the event to occur.  By forcing users to authenticate, each auditable event can be tied to a user, and a sequence of events for the user can be determined.  This is critical when investigating an issue or an attack.",
+      "severity": "high"
+    },
+    {
+      "id": "V-62367",
+      "title": "ColdFusion must require each user to authenticate with a unique account.",
+      "description": "Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. \n\nNon-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. \n\nEnforcing non-repudiation of actions requires that each user be uniquely identified.  Without this identification, events cannot be traced to a particular user, and a forensic investigation cannot be conducted to determine what exactly happened and who caused the event to occur.  By forcing each user to authenticate using a unique account, each auditable event can be tied to a user, and a sequence of events for the user can be determined.  This is critical when investigating an issue or an attack.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62369",
+      "title": "When ColdFusion is configured in a clustered configuration, ColdFusion must be configured to write log records from the clustered system components into a system-wide log trail that can be correlated.",
+      "description": "Log generation and log records can be generated from various components within the application server. The list of logged events is the set of events for which logs are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating log records (e.g., logable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked).\n\nThe events occurring must be time-correlated in order to conduct accurate forensic analysis. In addition, the correlation must meet certain tolerance criteria. For instance, DoD may define that the time stamps of different logged events must not differ by any amount greater than ten seconds. It is also acceptable for the application server to utilize an external logging tool that provides this capability.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62371",
+      "title": "ColdFusion must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which logable events are to be logged.",
+      "description": "ColdFusion utilizes role-based access controls in order to specify those individuals who are able to configure logable events.   Allowing users other than the ISSM and appointed individuals access to turn logged events on or off allows a user to mask their actions by disabling logging.  By enabling excessive logging or by enabling debugging, a user can generate logged events containing information that can be used to later attack the system or gain access to Personally Identifiable Information (PII).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62373",
+      "title": "ColdFusion must log scheduled tasks.",
+      "description": "Application server logging capability is critical for accurate forensic analysis.  Without sufficient and accurate information, a correct replay of the events cannot be determined. \n\nAscertaining the correct location or process within the application server where the events occurred is important during forensic analysis.  To determine where an event occurred, the log data must contain data such as application components, modules, session identifiers, filenames, host names, and functionality.\n\nColdFusion inherently logs the location of events that take place during the normal operation of the application server, but the Executive task scheduler is not logged by default.  Logging the execution of a task through the scheduler helps the administrator understand how a task was executed and also aides the administrator recognize if unauthorized scheduled tasks have been created.",
+      "severity": "low"
+    },
+    {
+      "id": "V-62375",
+      "title": "The ColdFusion log information must be protected from any type of unauthorized read access through the Administrator Console.",
+      "description": "Allowing any user to view log messages provides information to individuals that may be used to compromise the system.  This information may provide system design, user access/IP addresses, interconnected systems, and security settings such as encryption used and version numbers.  Controlling read access to this data, either through the Administrator Console or through the OS, must be controlled or limited to only those individuals who need access to fulfill their responsibilities.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62377",
+      "title": "The ColdFusion log information must be protected from any type of unauthorized read access by having file permissions set properly.",
+      "description": "Allowing any user to view log messages provides information to individuals that may be used to compromise the system.  This information may provide system design, user access/IP addresses, interconnected systems, and security settings such as encryption used and version numbers.  Controlling read access to this data, either through the Administrator Console or through the OS, must be controlled or limited to only those individuals who need access to fulfill their responsibilities.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62379",
+      "title": "The ColdFusion log information must be protected from any type of unauthorized modification by having file permissions set properly.",
+      "description": "Allowing any user to modify log messages provides a method for an attacker to hide his attack and go unnoticed.  Log modification also makes forensic investigation difficult, if not impossible, as the information needed to recreate the event is either deleted or modified to hide what actions took place.  Users are unable to modify log data through the Administrator Console, so the protection from modification is only relevant by enforcing protections from modification at the OS level.  This is performed by properly setting file permissions and enforcing user logons that match each user's job role.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62381",
+      "title": "The ColdFusion log information must be protected from any type of unauthorized deletion through the Administrator Console.",
+      "description": "When a system is attacked, one of the tasks of the attacker is to cover his tracks by deleting log files or log data.  This enables the attacker to go unnoticed and to make later forensic analysis of the attack difficult, if not impossible.  To protect the log information from deletion and discover the attacker quickly, the log files must be protected.  This protection must take place at both the Administrator Console and at the OS level.  Within the Administrator Console, the protection can be performed by giving users the proper roles and only giving log deletion to those that need that capability to perform their job duties.  At the OS level, protecting the logs from deletion is performed by assigned the proper privileges to the log files and also giving OS users limited roles.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62383",
+      "title": "The ColdFusion log information must be protected from any type of unauthorized deletion by having file permissions set properly.",
+      "description": "When a system is attacked, one of the tasks of the attacker is to cover his tracks by deleting log files or log data.  This enables the attacker to go unnoticed and to make later forensic analysis of the attack difficult, if not impossible.  To protect the log information from deletion and discover the attacker quickly, the log files must be protected.  This protection must take place at both the Administrator Console and at the OS level.  Within the Administrator Console, the protection can be performed by giving users the proper roles and only giving log deletion to those that need that capability to perform their job duties.  At the OS level, protecting the logs from deletion is performed by assigned the proper privileges to the log files and also giving OS users limited roles.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62385",
+      "title": "ColdFusion must send log records to the operating system logging facility.",
+      "description": "Protection of log data includes assuring log data is not accidentally lost or deleted. By sending some of the log messages to the operating system logging facilities, these log messages become part of the OS log history, become part of the log review performed by the OS administrator, and become part of the backup of OS log data.\n\nNote: This feature is only available for Linux installations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62387",
+      "title": "ColdFusion must allocate log record storage capacity in accordance with organization-defined log record storage requirements.",
+      "description": "The proper management of log records not only dictates proper archiving processes and procedures be established, it also requires allocating enough storage space to maintain the logs online for a defined period of time.\n\nIf adequate online log storage capacity is not maintained, intrusion monitoring, security investigations, and forensic analysis can be negatively affected.\n\nIt is important to keep a defined amount of logs online and readily available for investigative purposes. The logs may be stored on the application server until they can be archived to a log system or, in some instances, a Storage Area Network (SAN).  Regardless of the method used, log record storage capacity must be sufficient to store log data when the data cannot be off-loaded to a log system or a SAN.\n\nColdFusion handles logs by allowing the administrator to specify a log file size and how many archives to keep online.  This allows the administrator to correctly size the storage needed to meet the requirements of the organization for how log audit files should be available online and configure the storage needed to meet the requirement before off-loading archives to off-line storage.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62389",
+      "title": "ColdFusion log records must be off-loaded onto a different system or media from the system being logged.",
+      "description": "Information system logging capability is critical for accurate forensic analysis.  Off-loading is a common process in information systems with limited log storage capacity.\n\nCentralized management of log records provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Application servers and their related components are required to off-load log records on to a different system or media than the system being logged.\n\nColdFusion offers the capability to set the number of archived log files to keep before overwriting the file along with the maximum file size before generating an archive.  This allows the administrator to set up a scheduled task or a centralized log management system to pull the log files.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62391",
+      "title": "ColdFusion logs must, at a minimum, be transferred simultaneously for interconnected systems and transferred  weekly for standalone systems.",
+      "description": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.  Protecting log data is important during a forensic investigation to ensure investigators can track and understand what may have occurred.  ColdFusion does not offer an automated mechanism to off-load logs, but ColdFusion does have the capability to create archive log files.  By using the archive capability, off-loading can be set up using a weekly scheduled task for standalone systems.  For interconnected systems, applications such as syslog on Linux can be used to off-load data simultaneously.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62393",
+      "title": "The ColdFusion log information must be protected from any type of unauthorized read access by having file ownership set properly.",
+      "description": "Allowing any user to view log messages provides information to individuals that may be used to compromise the system.  This information may provide system design, user access/IP addresses, interconnected systems, and security settings such as encryption used and version numbers.  Controlling read access to this data, either through the Administrator Console or through the OS, must be controlled or limited to only those individuals who need access to fulfill their responsibilities.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62395",
+      "title": "The ColdFusion log information must be protected from any type of unauthorized modification by having file ownership set properly.",
+      "description": "Allowing any user to modify log messages provides a method for an attacker to hide his attack and go unnoticed.  Log modification also makes forensic investigation difficult, if not impossible, as the information needed to recreate the event is either deleted or modified to hide what actions took place.  Users are unable to modify log data through the Administrator Console, so the protection from modification is only relevant by enforcing protections from modification at the OS level.  This is performed by properly setting file permissions and enforcing user logons that match each user's job role.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62397",
+      "title": "The ColdFusion log information must be protected from any type of unauthorized deletion by having file ownership set properly.",
+      "description": "When a system is attacked, one of the tasks of the attacker is to cover his tracks by deleting log files or log data.  This enables the attacker to go unnoticed and to make later forensic analysis of the attack difficult, if not impossible.  To protect the log information from deletion and discover the attacker quickly, the log files must be protected.  This protection must take place at both the Administrator Console and at the OS level.  Within the Administrator Console, the protection can be performed by giving users the proper roles and only giving log deletion to those that need that capability to perform their job duties.  At the OS level, protecting the logs from deletion is performed by assigned the proper privileges to the log files and also giving OS users limited roles.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62399",
+      "title": "ColdFusion must limit applications from changing shared Java components.",
+      "description": "Application servers have the ability to specify that the hosted applications utilize shared libraries.  Within ColdFusion, these shared libraries are often Java components along with server settings.  By allowing programmers or attackers to write CFML code that can directly access these components and settings, the programmer can change how shared Java components work and create new Java components.  By disabling this option, the programmer is unable to read or modify administration and configuration information for the server and shared Java components.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62401",
+      "title": "ColdFusion must limit privileges, within the Administrator Console, to change the software resident within software libraries.",
+      "description": "Controlling the overall security posture of the server encompasses controlling the patches and versions of the software running within the production environment.  Patches are installed to fix security and bug issues.  Vendors will often supply a feature to uninstall the patch in the event the patch does not install correctly,  if the patch causes issues with hosted applications, or if the patch contains issues not found during testing.  The uninstall feature is meant to be used by an SA to maintain a secure and stable system.  In the event an attacker gains access to the uninstall functionality, he can then attempt to revert the system to an unsecure version which may have known and documented attacks that can be successful to compromise ColdFusion.  \n\nTo protect against this type of attack and to further define roles for users, access to the patch management functionality is important.  Proper protection is performed through assigning the appropriate roles to the users of the Administrator Console and through the least privileged permissions assigned at the OS level.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62403",
+      "title": "ColdFusion must protect software libraries from being changed by OS users.",
+      "description": "Controlling the overall security posture of the server encompasses controlling the patches and versions of the software running within the production environment.  Patches are installed to fix security and bug issues.  Vendors will often supply a feature to uninstall the patch in the event the patch does not install correctly,  if the patch causes issues with hosted applications, or if the patch contains issues not found during testing.  The uninstall feature is meant to be used by an SA to maintain a secure and stable system.  In the event an attacker gains access to the uninstall functionality, he can then attempt to revert the system to an unsecure version which may have known and documented attacks that can be successful to compromise ColdFusion.  \n\nTo protect against this type of attack and to further define roles for users, access to the patch management functionality is important.  Proper protection is performed through assigning the appropriate roles to the users of the Administrator Console and through the least privileged permissions assigned at the OS level.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62405",
+      "title": "ColdFusion must only allow approved file extensions.",
+      "description": "Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. One area of concern is the file types that can be included in cfm and cfml files by programmers.  To control what types of technologies are used in the development of hosted applications, a default whitelist can be created and approved by the ISSO.  This list includes only those file extensions that are used by the hosted applications.  By default, cfm and cfml are included and do not have to be specified.  The list must not contain the wildcard string \"*.*\".",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62407",
+      "title": "ColdFusion must disable Flash Remoting support.",
+      "description": "Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system.  Flash Remoting allows a Flash client to connect to the ColdFusion server and invoke ColdFusion Components (CFCs).  Allowing this service to be enabled when not needed by hosted applications and when ColdFusion server monitoring is not being used provides an avenue for an attacker to gain access to the server.",
+      "severity": "high"
+    },
+    {
+      "id": "V-62409",
+      "title": "ColdFusion must disable the In-Memory File System.",
+      "description": "Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system.  ColdFusion offers an in-memory file system.  This feature can be used to have dynamic code execute quickly which in turns enables an application to execute quicker.  This feature can also be used by an attacker to execute dynamic code that is erased and unrecoverable on system reboot making forensic analysis impossible.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62411",
+      "title": "ColdFusion must have Event Gateway Services disabled.",
+      "description": "Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system.  Event Gateway Services are used to pass events from external sources to ColdFusion components that are specified.  Since this gateway is accepting events from external sources, a listener must be present.  When enabled, along with the listener, memory, queues, and processes are available for gateway processes.  These resources can be used by an attacker and should be disabled if the feature is not being used for hosted applications.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62413",
+      "title": "ColdFusion must have Remote Development Services (RDS) disabled.",
+      "description": "Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system.  Remote Development Services (RDS) is used in a development environment to  allow authenticated users access to the server using special features within code editors like Dreamweaver, HomeSite+, ColdFusion Studio, and Eclipse to obtain information from the server.   For example, developers can determine what data sources exist, query them, build code based on them, and more.  RDS also enables access from within the editors to files on the server (even remotely) over HTTP, as an alternative to FTP.  This feature is not meant for production environments.",
+      "severity": "high"
+    },
+    {
+      "id": "V-62415",
+      "title": "ColdFusion must have Remote Adobe LiveCycle Data Management access disabled.",
+      "description": "Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system.  Remote Adobe LiveCycle Data Management access allows LiveCycle Data Services ES to connect to the ColdFusion server through RMI and use CFCs to read and update data that supports a Flex application.  If this feature is not needed for hosted applications and is enabled, an attacker could use this feature to compromise the ColdFusion server.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62417",
+      "title": "ColdFusion must have the WebSocket Service disabled.",
+      "description": "Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system.  The WebSocket Service is used to develop real-time applications for stock, charting, online gaming, social networking, dashboard for various purposes, and monitoring.  The service uses http or https for communication either to a proxy server or to the built-in WebSocket Server.  When the service is enabled and not used, resources are used but set idle.  To allow the idle resources to be used for other services, if the WebSocket service is not be used by hosted applications, the service must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62419",
+      "title": "ColdFusion must have example data sources removed.",
+      "description": "ColdFusion is installed with sample data services, gateway services, and collections.  These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issues.  Allowing them to be available on a production system provides a gateway to an attacker to the application server and to those systems connected to ColdFusion.  To alleviate this issue, sample code and services must be deleted.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62421",
+      "title": "The ColdFusion built-in TomCat Web Server must be disabled.",
+      "description": "Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system.  The built-in TomCat Web Server is used to host the Administrator Console and is used for initial setup.  While the built-in server can be used to continually host the Administrator Console, this is not the best practice since the server is not guaranteed to be patched and upgraded, implementing TLS is not well documented, allowing for poor implementations, and commercial web servers offer better logging.  To enable the Administrator Console to still operate and disable the built-in TomCat Web Server, the Administrator Console application must be moved to the web server (i.e., IIS, Apache, IBM HTTP Server, etc.) hosting the ColdFusion applications.  Moving the Administrator Console to Apache and IIS is well documented in the Adobe ColdFusion Lockdown Guide.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62423",
+      "title": "ColdFusion must have Remote Inspection disabled.",
+      "description": "Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system.  Remote Inspection is used to debug mobile applications and may contain sensitive information.  This feature may be necessary as applications are built and tested, but once in a production environment, this setting is not necessary for daily operations and must be disabled.",
+      "severity": "high"
+    },
+    {
+      "id": "V-62425",
+      "title": "ColdFusion must protect internal cookies from being updated by hosted applications.",
+      "description": "Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system.  Allowing developers to override global session cookie security settings is used to allow a hosted application to change the security posture of the application server.  This feature may be necessary as applications are built and tested, but once in a production environment, this functionality is not necessary for daily operations and must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62427",
+      "title": "ColdFusion must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.",
+      "description": "Some networking protocols may not meet organizational security requirements to protect data and components.\n\nColdFusion may host a number of various features, such as the Administrator Console, data sources and various services.  These features all run on TCPIP ports and protocols. This creates the potential that the vendor or ColdFusion administrator may choose to utilize port numbers or protocols that have been deemed unusable by the organization.  When ports or protocols are used that are not secure or authorized by the organization, the ColdFusion feature must be reconfigured to use an authorized port and protocol.\n\nFor a list of approved ports and protocols, reference the DoD ports and protocols web site at https://powhatan.iiie.disa.mil/ports/cal.html.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62429",
+      "title": "ColdFusion must disable auto reloading of configuration files on file changes.",
+      "description": "When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software and/or application server configuration can potentially have significant effects on the overall security of the system.  Allowing ColdFusion to watch for configuration file changes and reloading the new configuration gives an attacker an easy way to make modifications and have those changes become part of the executing production system quickly.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62431",
+      "title": "The ColdFusion Root Administrator account must have a unique username.",
+      "description": "The ColdFusion Root Administrator account is an administrative account setup during the installation process.  This account has privileges to view, update and delete data within the entire ColdFusion Administrator Console.  The account is meant to be used to setup ColdFusion after installation, but should only be used in emergency situations once user accounts are created.  The account is similar to the Administrator account in Windows or the root account in Linux.\n\nTo help protect the account, the account username should not be admin or administrator.  If setup with these usernames, an attacker already knows 50% of the information needed to gain access.  A unique and not easily guessable username must be used to hinder the discovery of the account credentials.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62433",
+      "title": "ColdFusion must execute as a non-privileged user.",
+      "description": "Privileged user accounts are accounts that have access to all the system resources.  These accounts are reserved for administrative users and applications that have a need for such unfettered access.  \n\nBecause ColdFusion does not need to run with access to all the system resources, the ColdFusion services must be setup to execute as unprivileged users.  This protects server resources, OS hosted applications, and organization resources should the ColdFusion application server become compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62435",
+      "title": "ColdFusion accounts with access to the Administrator Console must be approved.",
+      "description": "ColdFusion offers an Administrator Console that is used to setup ColdFusion.  The console allows the administrator to setup user accounts, user privileges, logging, data sources, etc.  These accounts, once setup, do not automatically lock after a set duration of inactivity or any other security event that would require automatic locking or deletion.  This would enable an account for a user who either left the organization or changed job roles, to continue access the console until the account is manually deleted.\n\nTo make certain that the user accounts are only those that are needed, the accounts must be approved by the ISSM.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62437",
+      "title": "ColdFusion must protect newly created objects.",
+      "description": "During operation, ColdFusion may create objects such as files to store parameters or log data, or pipes to share data between objects.  When the objects are created, it is important that the newly created object has the correct permissions.  This can be performed by assigning the proper umask value to the running process.  For the ColdFusion service, the umask must be set to 007 or more restrictive.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62439",
+      "title": "ColdFusion must have Sandbox Security enabled.",
+      "description": "Application isolation allows multiple applications to run on the same hosting operating system, web server and application server.  Typical reasons to isolate applications are to separate different application user bases, data security levels, protect application resources, and to give least privileges to each application to system resources.  Application isolation will also contain an application that has been compromised from compromising other hosted applications. \n\nTo allow sandboxing to be implemented, the feature must be enabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62441",
+      "title": "ColdFusion must have Sandboxes defined for application execution.",
+      "description": "Application isolation allows multiple applications to run on the same hosting operating system, web server and application server.  Typical reasons to isolate applications are to separate different application user bases, data security levels, protect application resources, and to give least privileges to each application to system resources.  Application isolation will also contain an application that has been compromised from compromising other hosted applications.\n\nTo implement sandboxing, sandboxes must be setup to separate applications.  Enabling the feature without implementing sandboxes does not secure the system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62443",
+      "title": "ColdFusion must have the Default ScriptSrc Directory set to a non-default value.",
+      "description": "The scripts directory contains common javascript code that may be used by the hosted applications.  This code is offered to help the developer with common data controls and functions aiding in the quick development of applications.  Unfortunately, this code has also been known to have security vulnerabilities.  Because of this, many of the ColdFusion hacking tools look for this directory in the default location searching for files with known vulnerabilities.  By moving the directory to a non-default location, the hacking tools are unable to find the directory making it more difficult for the attacker.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62445",
+      "title": "ColdFusion must contain the most recent update.",
+      "description": "ColdFusion releases updates to ColdFusion 11 to add support, fix bugs and close security issues.  Without the current update installed, the product may be unstable or become a target for an attacker who can take advantage of a known exploit.  The updates, when available, must be tested and installed as soon as possible.",
+      "severity": "high"
+    },
+    {
+      "id": "V-62447",
+      "title": "ColdFusion must have example collections removed.",
+      "description": "ColdFusion is installed with sample data services, gateway services, and collections.  These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issues.  Allowing them to be available on a production system provides a gateway to an attacker to the application server and to those systems connected to ColdFusion.  To alleviate this issue, sample code and services must be deleted.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62449",
+      "title": "ColdFusion must have example gateway instances removed.",
+      "description": "ColdFusion is installed with sample data services, gateway services, and collections.  These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issues.  Allowing them to be available on a production system provides a gateway to an attacker to the application server and to those systems connected to ColdFusion.  To alleviate this issue, sample code and services must be deleted.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62451",
+      "title": "ColdFusion must authenticate users individually.",
+      "description": "To assure individual accountability and prevent unauthorized access, application server users must be individually identified and authenticated.\n\nA group authenticator is a generic account used by multiple individuals.  Use of a group authenticator alone does not uniquely identify individual users.\n\nColdFusion is installed with a Root Administrator  Account.  This account is configured during the installation phase.  This account should only be used for initial setup before user accounts are created and should not be used for day-to-day operations.  When used as a group account, accountability, along with least privileges for the users, is lost.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62453",
+      "title": "ColdFusion must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.",
+      "description": "Application servers may provide a web services capability that could be leveraged to allow remote access to sensitive application data.\n\nMany web services utilize SOAP, which in turn utilizes XML and HTTP as a transport.  Natively, SOAP does not provide security protections. As such, the application server must provide security extensions to enhance SOAP capabilities to ensure that secure authentication mechanisms are employed to protect sensitive data. The ws-security suite is a widely used and acceptable SOAP security extension.\n\nColdFusion offers SOAP capabilities but does not offer any type of security for these services.  In order to extend the security of the SOAP protocol, an administrator must install the ws-security suite to enhance SOAP through Java Web Services and configure the ws-security features within the new object.  This new object then becomes the wrapper for the SOAP communication, securing the sensitive data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62455",
+      "title": "ColdFusion must transmit only encrypted representations of passwords for Flex Integration.",
+      "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission.  If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\nColdFusion offers RMI communication between Flex and ColdFusion.  The communication between the two will require authentication data.  When authentication data is transmitted, the data must be encrypted to protect it from discovery.  This can be done by enabling RMI over SSL within the Administrator Console.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62457",
+      "title": "The ColdFusion Administrator Console must transmit only encrypted representations of passwords.",
+      "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission.  If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\nColdFusion uses username and password for users to authenticate to the Administrator Console.  When these credentials are sent in plaintext, an attacker can capture the information and use the credentials to log on to the console, creating objects, connections, and accounts for later use.  The attacker will also have access to information stored for connections to other systems that ColdFusion may be connected to for data retrieval.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62459",
+      "title": "ColdFusion must transmit only encrypted representations of passwords to the mail server.",
+      "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission.  If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\nColdFusion may use username/password to connect to a mail server.  When this authentication method is used, it is important that the credentials be protected when transmitted by being encrypted.  While TLS encryption is the preferred method by DoD, SSL can be used when the mail server does not offer any other method of encryption.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62461",
+      "title": "Only authenticated system administrators or the designated PKI Sponsor for ColdFusion must have access to ColdFusions private key.",
+      "description": "The cornerstone of PKI is the private key used to encrypt or digitally sign information.  If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and can pretend to be the authorized user.\n\nBoth the holders of a digital certificate and the issuing authority must protect the private keys.  Java-based application servers, such as ColdFusion, utilize the Java keystore, which provides storage for cryptographic keys and certificates.  ColdFusion uses the keystore to store private keys for ColdFusion WebSockets and for Flex Integration.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62463",
+      "title": "The ColdFusion Administrator Console must be hosted on a management network.",
+      "description": "ColdFusion consists of the Administrator Console and hosted applications.  By separating the Administrator Console from hosted applications, the user must authenticate as a privileged user to the Administrator Console before being presented with management functionality.  This prevents non-privileged users from having visibility to functions not available to the user.  By limiting visibility, a compromised non-privileged account does not offer information to the attacker to functionality and information needed to further the attack on the application server.\n\nBy hosting the Administrator Console on a management-only network, the console is protected from hosted application users, is isolated to only management devices, is not vulnerable to accidental discovery, and most management networks encrypt all traffic protecting management data from accidental disclosure.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62465",
+      "title": "The ColdFusion Administrator Console must be hosted in a management sandbox.",
+      "description": "ColdFusion consists of the Administrator Console and hosted applications.  By separating the Administrator Console from hosted applications, the user must authenticate as a privileged user to the Administrator Console before being presented with management functionality.  This prevents non-privileged users from having visibility to functions not available to the user.  By limiting visibility, a compromised non-privileged account does not offer information to the attacker to functionality and information needed to further the attack on the application server.\n\nBy hosting the Administrator Console within its own sandbox from other hosted applications, the administrative objects are protected from reuse and modification by the other hosted applications.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62467",
+      "title": "ColdFusion must disable creation of unnamed applications.",
+      "description": "ColdFusion allows applications to be named or unnamed.  The application name allows the developer to scope the application or define a logical application and allows for the separation of applications.  When an application is unnamed, the application scope corresponds to the ColdFusion JEE servlet context.  This also means that the application session corresponds directly to the session object of the JEE application server.  Having unnamed applications is only necessary when the ColdFusion pages must share application or session scope data with existing JSP pages and servlets.\n\nDisabling the ability for unnamed applications allows the Administrator Console and all the other hosted applications to be isolated from each other.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62469",
+      "title": "ColdFusion must not allow application variables to be added to Servlet Context.",
+      "description": "ColdFusion allows applications to add application variables to the Servlet Context.  This allows an application to add data or change configuration data for all hosted applications.  By sharing data across applications, the applications are no longer isolated with one application affecting other applications.  By disabling this capability, the hosted applications, including the Administrator Console, are isolated.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62471",
+      "title": "ColdFusion must enable UUID for session identifier generation.",
+      "description": "Unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of session identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.\n\nColdFusion offers session ID randomness and uniqueness by enabling UUID for the session ID.  Without this option enabled, session values are sequential and become easy to hijack through guessing.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62473",
+      "title": "ColdFusion must use J2EE session variables.",
+      "description": "Unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of session identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.\n\nBy enabling J2EE session management, each session is given a unique and non-sequential session id which is shared between the JVM and the ColdFusion application allowing for easier session management.  J2EE session management stores the session data within a cookie stored in memory which will only exist while the session is valid.  When J2EE sessions management is not used, the cookie is stored on the hard drive allowing for a cookie that can be easily harvested by an attacker.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62475",
+      "title": "ColdFusion must set session cookies as browser session cookies.",
+      "description": "Generating a unique session identifier for each session inhibits an attacker from using an already authenticated session identifier that has not been invalidated.  If an attacker is able to use an authenticated session, the attacker is given the privileges of the user who created the session.  This may allow the attacker to generate user accounts for later use, change configuration settings, deploy an application or change application modules and code for already hosted applications, or see usernames for trusted relationships to other resources.  It is important that each new session is given a new and unique session identifier and that old identifiers are discarded quickly.\n\nColdFusion offers the capability to set session Cookies and all other Cookies to browser cookies.  This means all cookies become invalid once the browser window is closed instead of setting a time to live to the cookie.  Setting the cookies to browser cookies will ensure the session identifier is invalidated once the user ends the session through closing the browser.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62477",
+      "title": "ColdFusion must provide a clustering capability.",
+      "description": "Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When application failure is encountered, preserving application state facilitates application restart and return to the operational mode of the organization with less disruption of mission/business processes.\n\nClustering of multiple ColdFusion servers is a common approach to providing fail-safe application availability when the system criticality requires redundancy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62479",
+      "title": "ColdFusion must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.",
+      "description": "Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.  The application server must only allow the use of DoD PKI-established certificate authorities for verification. DoD-approved CAs can be found in the “installroot” tool on https://iase.disa.mil or in the Windows certificate store of the Windows Secure Host Baseline image.\n\nColdFusion uses the underlying JVM and keystore for storing and certificates and for use within connections for data transfer.  These certificates must be checked to ensure the certificates are from DoD PKI-established certificate authorities.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62481",
+      "title": "ColdFusion, when part of a mission critical system, must be in a high-availability (HA) cluster.",
+      "description": "A mission critical system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces.  A mission critical system must maintain the highest level of integrity and availability.  By High Availability (HA) clustering the ColdFusion application server, the hosted application and data are given a platform that is load-balanced and provides high-availability.  Most HA clusters consist of two nodes, which is the minimum required for redundancy, but HA clusters can consist of many more nodes.\n\nColdFusion does offer a clustering capability that must be used when the ColdFusion application server is part of a mission critical system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62483",
+      "title": "ColdFusion must not store user information in the server registry.",
+      "description": "DoS is a condition when a resource is not available for legitimate users.  When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.  To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards.  These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework.\n\nOne way to cause a DoS for ColdFusion is to fill the server hard drive with data or to cause registry purges on a large registry.  Filling the drive with data can be achieved if applications have client management enabled and client data is stored within the registry.  If a scheduled purge is performed on the registry, ColdFusion must load the entire registry into memory and look at each entry to determine if the entry needs to be purged.  The purging process can use all of the available memory and 100% of the CPU for a process that may only delete a few entries.  Also, the registry is typically located on the system partition.  Because of these factors, the use of the registry to store client sessions must not be used.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62485",
+      "title": "ColdFusion must limit the maximum number of Flash Remoting requests.",
+      "description": "DoS is a condition when a resource is not available for legitimate users.  When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.  To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards.  These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework.\n\nOne way to cause a DoS for ColdFusion is to exhaust resources by using services that are not being monitored because of their nonuse by hosted applications.  One of these services is Flash Remoting.  Flash Remoting is a service that allows flash applications to interact with ColdFusion pages and, if being used, the number of simultaneous requests should be tuned using load testing to find the optimal value for the setting.  When not in use, this setting must be set to 1.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62487",
+      "title": "ColdFusion must limit the SQL commands available.",
+      "description": "DoS is a condition when a resource is not available for legitimate users.  When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.  To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards.  These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework.\n\nAllowing hosted applications to execute SQL commands that create tables, change permissions on objects, create stored procedures, or drop objects allow an attacker to put the hosted application into a posture where it may not work correctly, display error messages that contains sensitive data that was not tested for during development, or cause an application to be unable to authenticate users.  Any of these situations puts the system into a situation where the user is denied service to the application.  Giving applications only those SQL commands needed to operate on data reduces this risk.",
+      "severity": "high"
+    },
+    {
+      "id": "V-62489",
+      "title": "ColdFusion must set a query timeout for Data Sources.",
+      "description": "DoS is a condition when a resource is not available for legitimate users.  When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.  To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards.  These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework.\n\nOne way to cause a DoS for ColdFusion is to exhaust resources by executing a query that will never return or timeout.  By having no timeout set, this type of DoS would be available to an attacker.  By setting a value greater than 0 (0 means no timeout), the query would be stopped and the resources released.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62491",
+      "title": "ColdFusion must limit the maximum number of Web Service requests.",
+      "description": "DoS is a condition when a resource is not available for legitimate users.  When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.  To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards.  These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework.\n\nOne way to cause a DoS for ColdFusion is to exhaust resources by using services that are not being monitored because of their nonuse by hosted applications.  One of these services is Web Services.  Web Services are services that allow an application to publish SOAP web services and when being used, the number of simultaneous requests should be tuned using load testing to find the optimal value for the setting.  When not in use, this setting must be set to 1.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62493",
+      "title": "ColdFusion must limit the maximum number of CFC function requests.",
+      "description": "DoS is a condition when a resource is not available for legitimate users.  When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.  To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards.  These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework.\n\nOne way to cause a DoS for ColdFusion is to exhaust resources by using services that are not being monitored because of their nonuse by hosted applications.  One of these services is remote ColdFusion Component (CFC) requests.  Remote CFC requests allow ColdFusion components to be called directly from an http/https url.  If this feature is being used, the number of simultaneous requests should be tuned using load testing to find the optimal value for the setting.  When the feature is not in use, the maximum number must be set to 1.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62495",
+      "title": "ColdFusion must limit the maximum number of simultaneous Report threads.",
+      "description": "DoS is a condition when a resource is not available for legitimate users.  When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.  To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards.  These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework.\n\nReport threads are used to process reports concurrently.  Since reporting in most applications is a process that is not time sensitive or heavily used, this setting should be minimized to minimize resource use on the application server and to minimize a method that could be used to exhaust resources by an attacker.  Unless reporting is heavily used, the number of simultaneous report threads must be set to 1.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62497",
+      "title": "ColdFusion must limit the maximum number of threads available for CFTHREAD.",
+      "description": "DoS is a condition when a resource is not available for legitimate users.  When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.  To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards.  These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework.\n\nOne way to cause a DoS for ColdFusion is to exhaust resources by using services that are not being monitored because of their nonuse by hosted applications.  One of these services is the CFTHREAD function. CFTHREAD allows a programmer to create threads of code that execute independently.  If this feature is being used, the maximum number of threads should be tuned.  If set to high, this may lead to a context-switching situation.  When this feature is not in use, the maximum number of threads must be 1.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62499",
+      "title": "ColdFusion must set a timeout for requests.",
+      "description": "DoS is a condition when a resource is not available for legitimate users.  When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.  To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards.  These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework.\n\nThe \"Timeout Requests after\" setting is used to terminate requests that have not been fulfilled within the set time. This parameter prevents unusually long requests from occupying server resources and impairing performance or denying other requests. \nThis setting is system dependent and may be changed based on the performance capabilities of the underlying system hardware.  Unless custom system tuning parameters are required and specifically documented, this value should be set to \"5\" or less.  \nThe vendor also recommends the \"Timeout requests waiting in queue after\" setting be set to the same value.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62501",
+      "title": "ColdFusion must set a timeout for logins.",
+      "description": "DoS is a condition when a resource is not available for legitimate users.  When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.  To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards.  These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework.\n\nThe \"Login Timeout\" setting is used to terminate login attempts on data sources that have not been fulfilled in the set time.  This parameter prevents unusually long logins from occupying server resources and impairing performance.  This value should be set to 5 or less and be less than or equal to the value for \"Timeout Requests after\" setting.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62503",
+      "title": "ColdFusion must limit the time-out for requests waiting in the queue.",
+      "description": "DoS is a condition when a resource is not available for legitimate users.  When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.  To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards.  These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework.\n\nBy setting a timeout for requests in queue, the queue is kept clear and not filled by requests that can never be filled.  If an attacker were able to fill the queue with requests that never expired, the system would eventually fail.  For DoD systems, this setting must be set to 5 or lower and should match the \"Timeout Requests After\" value.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62505",
+      "title": "ColdFusion must have a custom request queue time-out page.",
+      "description": "DoS is a condition when a resource is not available for legitimate users.  When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.  To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards.  These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework.\n\nLimiting the knowledge given to an attacker about the effects of his attack and possible solutions to further his attack is important.  This is especially important when the attacker is trying to find the limits needed to exhaust resources and cause a DoS.  To limit feedback to the attacker on his efforts, a custom time-out page should be used.  The message returned should only inform the user that they should wait and retry their request again.  The message must not disclose that the queue timed out.",
+      "severity": "low"
+    },
+    {
+      "id": "V-62507",
+      "title": "ColdFusion must limit the maximum number of POST requests parameters.",
+      "description": "DoS is a condition when a resource is not available for legitimate users.  When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.  To reduce the possibility or effect of a DoS, the application server must employ defined security safeguards.  These safeguards will be determined by the placement of the application server and the type of applications being hosted within the application server framework.\n\nLimiting the number of POST requests to the maximum number of form fields on any given page within the hosted application is used to mitigate the DoS attack known as HashDOS.  \n\nColdFusion provides the postParameterLimit setting to address this risk.  This is a tunable parameter that should be set as low as the application and the hardware will allow.  \n\nIf the system administrator has not documented and identified the specific setting value based on their specific application and system tuning requirements, this parameter must be set to \"50\" or less.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62509",
+      "title": "ColdFusion must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.",
+      "description": "Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission.  This is usually achieved through the use of Transport Layer Security (TLS), but care must also be taken to safeguard against non-FIPS approved SSL versions being used.  These older versions contain vulnerabilities that have been addressed in the newer FIPS 140-2 approved TLS releases.\n\nFIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\nTLS must be enabled, and non-FIPS-approved SSL versions must be disabled.  NIST SP 800-52 specifies the preferred configurations for government systems.\n\nColdFusion uses JVM to control the encryption of transmitted data.  Settings for JVM can be controlled within the Administrator Console to configure the JVM to only use FIPS 140-2 approved TLS and disable non-FIPS SSL versions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62511",
+      "title": "ColdFusion must encrypt cookies.",
+      "description": "Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission.  This is usually achieved through the use of Transport Layer Security (TLS).\n\nTransmission of session cookies is especially important since an attacker can grab the session id and hijack the already authenticated session.  There are several methods to protect cookie data, and one of those methods is to encrypt the cookie.  This can only be done if all the hosted sites are SSL/TLS enabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62513",
+      "title": "ColdFusion must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.",
+      "description": "Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSec tunnel.\n\nIf data in transit is unencrypted, it is vulnerable to disclosure and modification. If approved cryptographic algorithms are not used, encryption strength cannot be assured.\n\nColdFusion uses the underlying JVM to handle transmission and receiving of data, but ColdFusion does offer to the programmer an encrypt API call to protect the data.  This call can use multiple crypto methods, but using FIPS 140-2 is superior to those non-FIPS crypto methods to protect and detect changes to the data.  Through JVM arguments set within ColdFusion, the programmer can be forced to only FIPS crypto methods.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62515",
+      "title": "ColdFusion must encrypt patch retrieval.",
+      "description": "Checking for patches and downloading those patches for installation must be done through an encrypted connection to protect the patch from modification during transmission and to avoid spoofed updates.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62517",
+      "title": "ColdFusion must protect Session Cookies from being read by scripts.",
+      "description": "A cookie can be read by client-side scripts easily if cookie properties are not set properly during preparation for transmission.  By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie.  Setting cookie properties (i.e., HTTPOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62519",
+      "title": "ColdFusion must prevent JavaScript Object Notation (JSON) hijacking of data.",
+      "description": "Information can be either unintentionally or maliciously disclosed if not protected during preparation for transmission.  An easy way to protect data during preparation for transmission is to use non-default identifiers for data.  An example is for JavaScript Object Notation (JSON) to use a prefix other than the default \"JSON\" prefix, signifying to an attacker an array of data is following.\n\nJSON is a lightweight data-interchange format.",
+      "severity": "high"
+    },
+    {
+      "id": "V-62521",
+      "title": "ColdFusion must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.",
+      "description": "Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The application server must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business-to-business transactions.\n\nColdFusion uses an underlying JVM for communication and certificate storage.  To validate that the proper certificates are in use, the keystore must be checked.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62523",
+      "title": "The ColdFusion missing template handler must be valid.",
+      "description": "The structure and content of error messages need to be carefully considered by the organization and development team.  Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system.  \n\nThe missing template handler is used much like the 404 handler for a web server.  When the missing template handler is blank, a potential attacker may be sent information that reveals the ColdFusion version number.  Once the attacker has the version of ColdFusion being used, he can begin looking for specific attacks the version may be vulnerable to if not patched and secured properly.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62525",
+      "title": "The ColdFusion site-wide error handler must be valid.",
+      "description": "The structure and content of error messages need to be carefully considered by the organization and development team.  Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system.  \n\nWhen the site-wide error handler is blank, information can be presented to an attacker that may expose the cause of exceptions.  Having this information, the attacker can then begin attacking this error trying to get the server to fail and cause a DoS, expose PII, or gain access to server resources.  A custom site-wide error handler should be created and used that discloses the same generic message to the user for all exceptions and the error must be logged so that the error can be investigated.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62527",
+      "title": "ColdFusion must have Robust Exception Information disabled.",
+      "description": "Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team.\n\nColdFusion is a development and deployment framework.  To handle this role properly, ColdFusion offers several debugging and logging facilities that must be disabled in a production environment.  If left enabled, these settings can expose sensitive data within error and log messages.",
+      "severity": "high"
+    },
+    {
+      "id": "V-62529",
+      "title": "ColdFusion must have AJAX Debug Log Window disabled.",
+      "description": "Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team.\n\nAllowing the AJAX Debug Log Window to be enabled allows a user to send AJAX debug messages back to a client.  The log data sent is meant to be used in a development environment and used to fix errors in AJAX code.  Once the application is developed and is moved to production, debugging is not needed and this feature must be disabled.",
+      "severity": "high"
+    },
+    {
+      "id": "V-62531",
+      "title": "ColdFusion must have Request Debugging Output disabled.",
+      "description": "Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team.\n\nThe option to enable request debugging output is another tool that a developer can use during the development phase of the hosted application.  This feature appends debugging information to the end of each CFML request.  Once a hosted application is moved from the development phase to production, the need for debug information is no longer valid.",
+      "severity": "high"
+    },
+    {
+      "id": "V-62533",
+      "title": "ColdFusion must have Allow Line Debugging disabled.",
+      "description": "Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team.\n\nThe option to allow line debugging is enabled when a developer wants to trace code through a debugger such as Eclipse.  Debugging must not be performed on a production server, and this option must be disabled.",
+      "severity": "high"
+    },
+    {
+      "id": "V-62535",
+      "title": "The ColdFusion error messages must be restricted to only authorized users.",
+      "description": "If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nApplication servers must protect the error messages that are created by the application server. All application server users' accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62537",
+      "title": "ColdFusion must have ColdFusion component (CFC) type checking enabled.",
+      "description": "Invalid user input occurs when a user inserts data or characters into an application's data entry field and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application.\n\nInvalid input can also occur within applications to ColdFusion components.  The parameters can be input from users that are not properly type checked or from data computed within the application.  When the data is not type checked, the receiving component may cause an error that is unhandled or throw an exception that puts the application server and/or hosted application into an unsecure posture.  To limit invalid calls, ColdFusion component (CFC) type checking must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62539",
+      "title": "ColdFusion must enable Global Script Protection.",
+      "description": "Invalid user input occurs when a user inserts data or characters into an application's data entry field and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application.\n\nInvalid inputs are also used for Cross-Site Scripting (XSS) attacks.  This type of attack relies on the attacker being able to insert script code into an input field and having the script executed on the client machine.  By enabling Global Script Protection, there is a very limited protection against certain Cross-Site Scripting attack vectors.  It is important to understand that enabling this setting does not protect hosted applications from all possible Cross-Site Scripting attacks. \n\nWhen this setting is turned on, it uses a regular expression defined in the file neo-security.xml to replace input variables containing the following tags: object, embed, script, applet, and meta with Invalid Tag.  This setting does not restrict any JavaScript strings that may be injected and executed, iframe tags, or any XSS obfuscation techniques.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62541",
+      "title": "ColdFusion must remove software components after updated versions have been installed.",
+      "description": "Installation of patches and updates is performed when there are errors or security vulnerabilities in the current release of the software.  When previous versions of software components are not removed from the application server after updates have been installed, an attacker may use the older components to exploit the system.\n\nColdFusion creates a backup directory for an update when installed.  This backup directory allows the SA to uninstall the update if an error occurs or incompatibility is found with the hosted applications.  Once the update is tested and found to work correctly, the backup directory must be removed so that the update cannot be uninstalled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-62543",
+      "title": "ColdFusion must be set to automatically check for updates.",
+      "description": "Security flaws with software applications are discovered daily.  Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities.  To configure the software to discover that a new patch is available is important since administrators may be responsible for multiple servers running different applications and services, making it difficult for the administrator to constantly check for updates.  Enabling the automatic check informs the administrator, allows him to investigate the patch and what is needed to apply the patch and schedule any outages that might be needed, thereby permitting the patch to be installed quickly and efficiently.\n\nHaving \"Automatically Check for Updates\" checked causes ColdFusion to look for updates on every logon.",
+      "severity": "low"
+    },
+    {
+      "id": "V-62545",
+      "title": "ColdFusion must have notifications enabled when a server update is available.",
+      "description": "Security flaws with software applications are discovered daily.  Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities.  To configure the software to discover that a new patch is available is important since administrators may be responsible for multiple servers running different applications and services, making it difficult for the administrator to constantly check for updates.  Enabling the automatic check informs the administrator, allows him to investigate the patch and what is needed to apply the patch and schedule any outages that might be needed, thereby permitting the patch to be installed quickly and efficiently.\n\nHaving \"Check for updates every\" checked causes ColdFusion to look for updates every set number of days.  Entering a list of email addresses to notify guarantees a notification is sent to the administrator.",
+      "severity": "low"
+    }
+  ]
+}