ColdFusion must transmit only encrypted representations of passwords for Flex Integration.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-62455	CF11-04-000133	SV-76945r1_rule		Medium

Description
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. ColdFusion offers RMI communication between Flex and ColdFusion. The communication between the two will require authentication data. When authentication data is transmitted, the data must be encrypted to protect it from discovery. This can be done by enabling RMI over SSL within the Administrator Console.

Description

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. ColdFusion offers RMI communication between Flex and ColdFusion. The communication between the two will require authentication data. When authentication data is transmitted, the data must be encrypted to protect it from discovery. This can be done by enabling RMI over SSL within the Administrator Console.

STIG	Date
Adobe ColdFusion 11 Security Technical Implementation Guide	2017-12-31

Details

Check Text ( C-63259r1_chk )
Within the Administrator Console, navigate to the "Flex Integration" page under the "Data & Services" menu. Ask the administrator if Flex is being used and if user credentials are being used for authentication. If user credentials are being used for Flex authentication to ColdFusion and "Enable RMI over SSL for Data Management" is not checked, this is a finding.

Fix Text (F-68375r1_fix)
Navigate to the "Flex Integration" page under the "Data & Services" menu. Check "Enable RMI over SSL for Data Management" and select the "Submit Changes" button.