ColdFusion must have Remote Adobe LiveCycle Data Management access disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-62415	CF11-03-000101	SV-76905r1_rule		Medium

Description
Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Remote Adobe LiveCycle Data Management access allows LiveCycle Data Services ES to connect to the ColdFusion server through RMI and use CFCs to read and update data that supports a Flex application. If this feature is not needed for hosted applications and is enabled, an attacker could use this feature to compromise the ColdFusion server.

Description

Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Remote Adobe LiveCycle Data Management access allows LiveCycle Data Services ES to connect to the ColdFusion server through RMI and use CFCs to read and update data that supports a Flex application. If this feature is not needed for hosted applications and is enabled, an attacker could use this feature to compromise the ColdFusion server.

STIG	Date
Adobe ColdFusion 11 Security Technical Implementation Guide	2017-12-31

Details

Check Text ( C-63219r1_chk )
Ask the administrator if LiveCycle Data Services ES are being used by any hosted applications. If hosted applications are using the service, this is not a finding. Within the Administrator Console, navigate to the "Flex Integration" page under the "Data & Services" menu. If "Enable Remote Adobe LiveCycle Data Management access" is checked, this is a finding.

Fix Text (F-68335r1_fix)
Navigate to the "Flex Integration" page under the "Data & Services" menu. Uncheck "Enable Remote Adobe Live Cycle Data Management access" and select the "Submit Changes" button.