Rule ID
SV-279075r1171564_rule
Version
V1R1
CCIs
CCI-002314, CCI-000366
ColdFusion exposes many existing services as web services. These services, such as cfpdf, cfmail, and cfpop, can be accessed by users and applications written in other languages and technologies than ColdFusion CFML. To invoke the services, the client must be on the allowed IP list and have a user account with the proper privileges to the exposed services. Exposing these services expands the security risk and potential for compromise of the ColdFusion application server. If a need arises for these services, the list of allowed IP addresses must be specified and limited to only those requiring access. Satisfies: SRG-APP-000315-AS-000094, SRG-APP-000516-AS-000237
Verify Allowed IP Addresses for Exposed Services. 1. From the Admin Console Landing Screen, navigate to Security >> Allowed IP Addresses. 2. If there are any entries in the "Allowed IP Addresses for Exposed Services" section, validate with the system administrator (SA) that the IP addresses and subnets specified require access. If an unauthorized Subnets/IP address or wildcard value is present, this is a finding.
Configure Allowed IP Addresses for Exposed Services. 1. From the Admin Console Landing Screen, navigate to Security >> Allowed IP Addresses. Only those IP addresses or subnets that have access to Exposed Services must be listed. 2. Remove any IP addresses that are blank (NULL) or set to a wildcard value.