Title

ColdFusion must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data. (Cat II impact)

Discussion

Application servers may provide a web services capability that could be leveraged to allow remote access to sensitive application data. Many web services utilize SOAP, which in turn utilizes XML and HTTP as a transport. Natively, SOAP does not provide security protections. As such, the application server must provide security extensions to enhance SOAP capabilities to ensure that secure authentication mechanisms are employed to protect sensitive data. The ws-security suite is a widely used and acceptable SOAP security extension. ColdFusion offers SOAP capabilities but does not offer any type of security for these services. In order to extend the security of the SOAP protocol, an administrator must install the ws-security suite to enhance SOAP through Java Web Services and configure the ws-security features within the new object. This new object then becomes the wrapper for the SOAP communication, securing the sensitive data.

Check Content

Determine if web services are published using the SOAP protocol to access sensitive data. This may be determined by interviewing the administrator or by reviewing hosted applications code, hosted application design documentation, published web services design documentation or ColdFusion baseline documentation. If web services are not published, this finding is not applicable. If web services are published, but the SOAP protocol is not used, this finding is not applicable. If web services are published and the SOAP protocol is used to access data, but the data is not sensitive, this finding is not applicable. Determine if the ws-security suite is in place to provide secure authentication to the sensitive data by interviewing the administrator or by reviewing hosted applications code, hosted application design documentation, published web services design documentation or ColdFusion baseline documentation. If web services are published using the SOAP protocol to access sensitive data and the ws-security suite is not used to secure the access, this is a finding.

Fix Text

If web services are not published, this finding is not applicable. If web services are published, but the SOAP protocol is not used, this finding is not applicable. If web services are published and the SOAP protocol is used to access data, but the data is not sensitive, this finding is not applicable. Install the ws-security suite to secure access to sensitive data.

Additional Identifiers

Rule ID: SV-237190r641665_rule

Vulnerability ID: V-237190

Group Title: SRG-APP-000156-AS-000106

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.