An error occurred:

Check: APAS-CF-001055

Adobe ColdFusion STIG: APAS-CF-001055 (in version v1 r1)

Title

ColdFusion must be configured to enable Cross-Origin Resource Sharing (CORS) to allow mobile applications to access resources from different origins securely. (Cat II impact)

Discussion

CORS is a security feature implemented by web browsers to prevent web pages from making requests to a different domain than the one that served the web page. However, mobile applications often need to access resources from different origins. Enabling CORS allows the server to specify which origins are permitted to access its resources, thereby ensuring secure communication between the mobile application and the server. In ColdFusion, administrators can configure ColdFusion to enable CORS by specifying the allowed origins, methods, and headers. This setting enhances the security of the application by ensuring that only trusted origins can access the server's resources, thereby preventing unauthorized access and data breaches. Satisfies: SRG-APP-000516-AS-000237, SRG-APP-000141-AS-000095

Check Content

Validate Mobile Services settings. 1. Ask the administrator if ColdFusion Mobile services are being used by any hosted applications. If hosted applications are using the service, this is not a finding. 2. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. If "Enable mobile's server workflow" is checked, this is a finding. 3. Review the "Enable CORS" setting. If CORS is not enabled, this is a finding. 4. Review the "Mobile server context" setting. If the mobile server context is set to "cfmobile", this is a finding.

Fix Text

Configure Mobile Services settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. 2. Uncheck "Enable mobile's server workflow" if it is checked. 3. Enable CORS to address this finding if it is not already enabled. 4. Update the mobile server context to a value other than "cfmobile" if it is currently set to "cfmobile". 5. Select "Submit Changes".

Additional Identifiers

Rule ID: SV-279107r1171430_rule

Vulnerability ID: V-279107

Group Title: SRG-APP-000516-AS-000237

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

Implement the security configuration settings.
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings
CM-7

Least Functionality