Title

ColdFusion must use cryptography mechanisms to protect the integrity of data sent to the PDF Service. (Cat II impact)

Discussion

Protecting data being sent to the PDF Service for PDF document creation protects the data from being read or modified before the document is created and returned to the requesting application. This protection can be implemented by using https over the plaintext transport protocol of http.

Check Content

Access the "PDF Service" page under the "Data & Services" menu within the Administrator Console. If there are no PDF Service Managers defined, the finding is not applicable. If any PDF Service Managers listed have "Https Enabled" set to "NO", this is a finding.

Fix Text

If there are no PDF Service Managers in use, the finding is not applicable. Access the "PDF Service" page under the "Data & Services" menu within the Administrator Console. Edit each service and check the "Https Enabled" option.

Additional Identifiers

Rule ID: SV-237138r641509_rule

Vulnerability ID: V-237138

Group Title: SRG-APP-000015-AS-000010

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.