An error occurred:

Check: APAS-CF-000580

Adobe ColdFusion STIG: APAS-CF-000580 (in version v1 r1)

Title

ColdFusion must control remote access to the Administrator Console. (Cat II impact)

Discussion

Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by logging connection activities of remote users. By default, localhost and all IP addresses can access the Administrator Console. Depending on the authentication method (i.e., single password, separate username and password per user, or no authentication needed), any user from any network can access the console and make changes to the server configuration relying only on the authentication method configured for the installation. By limiting the IP addresses that can connect, the administration console can be hosted to a management network and only accessed via that network, further reducing the exposure of the Administrator Console.

Check Content

Verify Allowed IP Addresses for Console. From the Admin Console Landing Screen, navigate to Security >> Allowed IP Addresses. If the list of allowed IP addresses is blank (NULL), is set to a wildcard value, or contains IP addresses/subnets that should not have access, this is a finding.

Fix Text

Configure Allowed IP Addresses for Console. 1. From the Admin Console Landing Screen, navigate to Security >> Allowed IP Addresses. 2. Add allowed IP addresses for accessing ColdFusion Administrator and ColdFusion Internal Directories (only IP addresses or subnets that should be capable of reaching the Administrator Console). 3. Remove any IP addresses that are blank (NULL) or set to a wildcard value.

Additional Identifiers

Rule ID: SV-279074r1171609_rule

Vulnerability ID: V-279074

Group Title: SRG-APP-000315-AS-000094

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002314

Employ automated mechanisms to control remote access methods.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-17(1)

Monitoring and Control