ColdFusion must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.

From Adobe ColdFusion 11 Security Technical Implementation Guide

Part of SRG-APP-000156-AS-000106

Associated with: CCI-001941

SV-76943r1_rule ColdFusion must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.

Vulnerability discussion

Application servers may provide a web services capability that could be leveraged to allow remote access to sensitive application data.Many web services utilize SOAP, which in turn utilizes XML and HTTP as a transport. Natively, SOAP does not provide security protections. As such, the application server must provide security extensions to enhance SOAP capabilities to ensure that secure authentication mechanisms are employed to protect sensitive data. The ws-security suite is a widely used and acceptable SOAP security extension.ColdFusion offers SOAP capabilities but does not offer any type of security for these services. In order to extend the security of the SOAP protocol, an administrator must install the ws-security suite to enhance SOAP through Java Web Services and configure the ws-security features within the new object. This new object then becomes the wrapper for the SOAP communication, securing the sensitive data.

Check content

Determine if web services are published using the SOAP protocol to access sensitive data. This may be determined by interviewing the administrator or by reviewing hosted applications code, hosted application design documentation, published web services design documentation or ColdFusion baseline documentation. If web services are not published, this finding is not applicable. If web services are published, but the SOAP protocol is not used, this finding is not applicable. If web services are published and the SOAP protocol is used to access data, but the data is not sensitive, this finding is not applicable. Determine if the ws-security suite is in place to provide secure authentication to the sensitive data by interviewing the administrator or by reviewing hosted applications code, hosted application design documentation, published web services design documentation or ColdFusion baseline documentation. If web services are published using the SOAP protocol to access sensitive data and the ws-security suite is not used to secure the access, this is a finding.

Fix text

If web services are not published, this finding is not applicable. If web services are published, but the SOAP protocol is not used, this finding is not applicable. If web services are published and the SOAP protocol is used to access data, but the data is not sensitive, this finding is not applicable. Install the ws-security suite to secure access to sensitive data.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer