← Back to Adobe ColdFusion Security Technical Implementation Guide

V-279043

CAT III (Low)

ColdFusion must have example services removed.

Rule ID

SV-279043r1171348_rule

STIG

Adobe ColdFusion Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000381

Discussion

ColdFusion is installed with sample data services, gateway services, collections, and mappings. These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issues. Allowing them to be available on a production system provides a gateway to an attacker to ColdFusion and to systems connected to ColdFusion. To correct this issue, sample code and services must be deleted.

Check Content

Verify Sample Services have been removed.

1. From the Admin Console Landing Screen, navigate to Data &amp; Services.

In the Data Sources tab, if the data sources cfartgallery, cfbookclub, cfcodeexplorer, or cfdocexamples exist, this is a finding.

In the ColdFusion Collections tab, if the bookclub collection exists, this is a finding.

In the GraphQL tab, if the service "myservice" with the path " https://apollo-fullstack-tutorial.herokuapp.com/graphql" exists, this is a finding.

2. Navigate to Event Gateways.

In the Gateway Instances tab, if the Gateway Instance SMS Menu App exists, this is a finding.

Fix Text

Remove Sample Services.

1. From the Admin Console Landing Screen, navigate to Data &amp; Services.

a. In the Data Sources tab, delete the data sources cfartgallery, cfbookclub, cfcodeexplorer, and cfdocexamples.

b. In the ColdFusion Collections tab, delete the bookclub collection.

c. In the GraphQL tab, delete the service "myservice" with the path "https://apollo-fullstack-tutorial.herokuapp.com/graphql".

2. Navigate to Event Gateways.

a. In the Gateway Instances tab, delete the Gateway Instance SMS Menu App.