ColdFusion must disable Flash Remoting support.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-62407 | CF11-03-000097 | SV-76897r1_rule | High |
| Description |
|---|
| Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Flash Remoting allows a Flash client to connect to the ColdFusion server and invoke ColdFusion Components (CFCs). Allowing this service to be enabled when not needed by hosted applications and when ColdFusion server monitoring is not being used provides an avenue for an attacker to gain access to the server. |
| STIG | Date |
|---|---|
| Adobe ColdFusion 11 Security Technical Implementation Guide | 2017-12-31 |
Details
| Check Text ( C-63211r1_chk ) |
|---|
| Ask the administrator if ColdFusion server monitoring is being used or if flex remoting is being used by any hosted applications. If ColdFusion server monitoring is being used or hosted applications are using flash remoting, this is not a finding. Within the Administrator Console, navigate to the "Flex Integration" page under the "Data & Services" menu. If the "Enable Flash Remoting" option is checked, this is a finding. |
| Fix Text (F-68327r1_fix) |
|---|
| Navigate to the "Flex Integration" page under the "Data & Services" menu. Uncheck the "Enable Flash Remoting" option and select the "Submit Changes" button. |