Title

ColdFusion must disable Flash Remoting support. (Cat I impact)

Discussion

Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Flash Remoting allows a Flash client to connect to the ColdFusion server and invoke ColdFusion Components (CFCs). Allowing this service to be enabled when not needed by hosted applications and when ColdFusion server monitoring is not being used provides an avenue for an attacker to gain access to the server.

Check Content

Ask the administrator if ColdFusion server monitoring is being used or if flex remoting is being used by any hosted applications. If ColdFusion server monitoring is being used or hosted applications are using flash remoting, this is not a finding. Within the Administrator Console, navigate to the "Flex Integration" page under the "Data & Services" menu. If the "Enable Flash Remoting" option is checked, this is a finding.

Fix Text

Navigate to the "Flex Integration" page under the "Data & Services" menu. Uncheck the "Enable Flash Remoting" option and select the "Submit Changes" button.

Additional Identifiers

Rule ID: SV-237167r641596_rule

Vulnerability ID: V-237167

Group Title: SRG-APP-000141-AS-000095

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.