OpenControls Logo

STIG Viewer

ColdFusion must control remote access to Exposed Services.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-279075APAS-CF-000585SV-279075r1171564_ruleCCI-002314high
Description
ColdFusion exposes many existing services as web services. These services, such as cfpdf, cfmail, and cfpop, can be accessed by users and applications written in other languages and technologies than ColdFusion CFML. To invoke the services, the client must be on the allowed IP list and have a user account with the proper privileges to the exposed services. Exposing these services expands the security risk and potential for compromise of the ColdFusion application server. If a need arises for these services, the list of allowed IP addresses must be specified and limited to only those requiring access. Satisfies: SRG-APP-000315-AS-000094, SRG-APP-000516-AS-000237
STIGDate
Adobe ColdFusion Security Technical Implementation Guide2025-12-19

Related Frameworks

3 paths across 3 frameworks
NIST 800-531 mapping
AC-17(1)
1.00
  • DISA · V1R1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.12
1.00
  • DISA · V1R1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-002314
1.00
  • DISA · V1R1 · disa_xccdf · related

Details

Check Text (C-279075r1171564_chk)

Verify Allowed IP Addresses for Exposed Services. 1. From the Admin Console Landing Screen, navigate to Security >> Allowed IP Addresses. 2. If there are any entries in the "Allowed IP Addresses for Exposed Services" section, validate with the system administrator (SA) that the IP addresses and subnets specified require access. If an unauthorized Subnets/IP address or wildcard value is present, this is a finding.

Fix Text (F-83528r1171393_fix)

Configure Allowed IP Addresses for Exposed Services. 1. From the Admin Console Landing Screen, navigate to Security >> Allowed IP Addresses. Only those IP addresses or subnets that have access to Exposed Services must be listed. 2. Remove any IP addresses that are blank (NULL) or set to a wildcard value.