ColdFusion must control remote access to Exposed Services.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-62361 | CF11-01-000017 | SV-76851r1_rule | Medium |
| Description |
|---|
| ColdFusion exposes many existing services as web services. These services, such as cfpdf, cfmail, and cfpop, can be accessed by users and applications written in other languages and technologies than ColdFusion CFML. To invoke the services, the client must be on the allowed IP list and have a user account with the proper privileges to the exposed services. Exposing these services expands the security risk and potential for compromise of the ColdFusion application server. If a need arises for these services, then the list of allowed IP addresses must be specified and limited to only those requiring access. |
| STIG | Date |
|---|---|
| Adobe ColdFusion 11 Security Technical Implementation Guide | 2017-12-31 |
Details
| Check Text ( C-63165r1_chk ) |
|---|
| Within the Administrator Console, navigate to the "Allowed IP Addresses" page under the "Security" menu. If there are any entries in the "Allowed IP Addresses for Exposed Services" section, validate with the SA that the IP addresses and subnets specified require access. If any of the IP addresses or subnets specified do not require access, this is a finding. |
| Fix Text (F-68281r1_fix) |
|---|
| Navigate to the "Allowed IP Addresses" page under the "Security" menu. Remove all entries from the list under the "Allowed IP Addresses for Exposed Services" section that do not require access to ColdFusion services. |