STIGQter STIGQter: STIG Summary: Adobe ColdFusion 11 Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 26 Jan 2018:

ColdFusion must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.

DISA Rule

SV-76943r1_rule

Vulnerability Number

V-62453

Group Title

SRG-APP-000156-AS-000106

Rule Version

CF11-04-000129

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

If web services are not published, this finding is not applicable.

If web services are published, but the SOAP protocol is not used, this finding is not applicable.

If web services are published and the SOAP protocol is used to access data, but the data is not sensitive, this finding is not applicable.

Install the ws-security suite to secure access to sensitive data.

Check Contents

Determine if web services are published using the SOAP protocol to access sensitive data. This may be determined by interviewing the administrator or by reviewing hosted applications code, hosted application design documentation, published web services design documentation or ColdFusion baseline documentation.

If web services are not published, this finding is not applicable.

If web services are published, but the SOAP protocol is not used, this finding is not applicable.

If web services are published and the SOAP protocol is used to access data, but the data is not sensitive, this finding is not applicable.

Determine if the ws-security suite is in place to provide secure authentication to the sensitive data by interviewing the administrator or by reviewing hosted applications code, hosted application design documentation, published web services design documentation or ColdFusion baseline documentation.

If web services are published using the SOAP protocol to access sensitive data and the ws-security suite is not used to secure the access, this is a finding.

Vulnerability Number

V-62453

Documentable

False

Rule Version

CF11-04-000129

Severity Override Guidance

Determine if web services are published using the SOAP protocol to access sensitive data. This may be determined by interviewing the administrator or by reviewing hosted applications code, hosted application design documentation, published web services design documentation or ColdFusion baseline documentation.

If web services are not published, this finding is not applicable.

If web services are published, but the SOAP protocol is not used, this finding is not applicable.

If web services are published and the SOAP protocol is used to access data, but the data is not sensitive, this finding is not applicable.

Determine if the ws-security suite is in place to provide secure authentication to the sensitive data by interviewing the administrator or by reviewing hosted applications code, hosted application design documentation, published web services design documentation or ColdFusion baseline documentation.

If web services are published using the SOAP protocol to access sensitive data and the ws-security suite is not used to secure the access, this is a finding.

Check Content Reference

M

Target Key

2661

Comments