CA IDMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-251623 | SRG-APP-000251-DB-000392 | IDMS-DB-000520 | SV-251623r961158_rule | 2024-09-13 | 2 |
| Description |
|---|
| When the use of dynamic SQL is necessary, the code should be written so that the invalid data can be found and the appropriate action taken. |
| ℹ️ Check |
|---|
| If dynamic code execution is used and identified user input is not validity checked user input, this is a finding. If SQL-defined tables, DISPLAY TABLE <schema-name>.<table-name> . If there is not a CHECK for the columns and accompanying accepted values, this is a finding. If network-defined records, DISPLAY SCHEMA or DISPLAY RECORD. If there is no CALL to a procedure BEFORE STORE and BEFORE MODIFY, this is a finding. If the procedure does not validate the non-exempt columns, this is a finding. Other applications and front-ends using mapping can use the automatic editing feature and edit and code tables to verify that an input value is valid. |
| ✔️ Fix |
|---|
| For SQL-defined tables, ALTER TABLE <schema-name>.<table-name> ADD CHECK (search-condition). For network-defined records, MODIFY <record-name> CALL procedure BEFORE STORE/MODIFY. Create or update procedure to validate provided record field values. Other applications and front-ends using mapping can use the automatic editing feature and edit and code tables to verify that an input value is valid. |