Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-62415 | CF11-03-000101 | SV-76905r1_rule | Medium |
Description |
---|
Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Remote Adobe LiveCycle Data Management access allows LiveCycle Data Services ES to connect to the ColdFusion server through RMI and use CFCs to read and update data that supports a Flex application. If this feature is not needed for hosted applications and is enabled, an attacker could use this feature to compromise the ColdFusion server. |
STIG | Date |
---|---|
Adobe ColdFusion 11 Security Technical Implementation Guide | 2016-09-21 |
Check Text ( C-63219r1_chk ) |
---|
Ask the administrator if LiveCycle Data Services ES are being used by any hosted applications. If hosted applications are using the service, this is not a finding. Within the Administrator Console, navigate to the "Flex Integration" page under the "Data & Services" menu. If "Enable Remote Adobe LiveCycle Data Management access" is checked, this is a finding. |
Fix Text (F-68335r1_fix) |
---|
Navigate to the "Flex Integration" page under the "Data & Services" menu. Uncheck "Enable Remote Adobe Live Cycle Data Management access" and select the "Submit Changes" button. |