Title

ColdFusion must have Remote Adobe LiveCycle Data Management access disabled. (Cat II impact)

Discussion

Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Remote Adobe LiveCycle Data Management access allows LiveCycle Data Services ES to connect to the ColdFusion server through RMI and use CFCs to read and update data that supports a Flex application. If this feature is not needed for hosted applications and is enabled, an attacker could use this feature to compromise the ColdFusion server.

Check Content

Ask the administrator if LiveCycle Data Services ES are being used by any hosted applications. If hosted applications are using the service, this is not a finding. Within the Administrator Console, navigate to the "Flex Integration" page under the "Data & Services" menu. If "Enable Remote Adobe LiveCycle Data Management access" is checked, this is a finding.

Fix Text

Navigate to the "Flex Integration" page under the "Data & Services" menu. Uncheck "Enable Remote Adobe Live Cycle Data Management access" and select the "Submit Changes" button.

Additional Identifiers

Rule ID: SV-237171r641608_rule

Vulnerability ID: V-237171

Group Title: SRG-APP-000141-AS-000095

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.