Title

ColdFusion must control remote access to Exposed Services. (Cat I impact)

Discussion

ColdFusion exposes many existing services as web services. These services, such as cfpdf, cfmail, and cfpop, can be accessed by users and applications written in other languages and technologies than ColdFusion CFML. To invoke the services, the client must be on the allowed IP list and have a user account with the proper privileges to the exposed services. Exposing these services expands the security risk and potential for compromise of the ColdFusion application server. If a need arises for these services, the list of allowed IP addresses must be specified and limited to only those requiring access. Satisfies: SRG-APP-000315-AS-000094, SRG-APP-000516-AS-000237

Check Content

Verify Allowed IP Addresses for Exposed Services. 1. From the Admin Console Landing Screen, navigate to Security >> Allowed IP Addresses. 2. If there are any entries in the "Allowed IP Addresses for Exposed Services" section, validate with the system administrator (SA) that the IP addresses and subnets specified require access. If an unauthorized Subnets/IP address or wildcard value is present, this is a finding.

Fix Text

Configure Allowed IP Addresses for Exposed Services. 1. From the Admin Console Landing Screen, navigate to Security >> Allowed IP Addresses. Only those IP addresses or subnets that have access to Exposed Services must be listed. 2. Remove any IP addresses that are blank (NULL) or set to a wildcard value.

Additional Identifiers

Rule ID: SV-279075r1171564_rule

Vulnerability ID: V-279075

Group Title: SRG-APP-000315-AS-000094

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.