CA IDMS must limit the use of dynamic statements in applications, procedures, and exits to circumstances determined by the organization.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-251621	IDMS-DB-000500	SV-251621r808358_rule		Medium

Description
Dynamic SQL statements are compiled at runtime and, if manipulated by an unauthorized user, can produce an innumerable array of undesired results. These statements should not be used casually.

STIG	Date
CA IDMS Security Technical Implementation Guide	2022-09-07

Details

Check Text ( C-55056r807728_chk )
If EXECUTE IMMEDIATE, PREPARE, and EXECUTE statements are found while reviewing source code in applications, procedures, and exits in code that does not require it, this is a finding.

Fix Text (F-55010r807729_fix)
Modify the code to remove the dynamic statements EXECUTE IMMEDIATE, PREPARE, and EXECUTE. If these statements must be used, use other measures to eliminate possible code injection success by securing resources (databases, access modules, tasks, programs, etc.). Since security checks are issued by CA IDMS as it executes the commands and the authorization permissions are cached for the life of the transaction or task, whichever ends first. The use of strongly typing parameters and validating inputs are other ways to guard against code injection when dynamic statement execution must be used.

Fix Text (F-55010r807729_fix)

Modify the code to remove the dynamic statements EXECUTE IMMEDIATE, PREPARE, and EXECUTE. If these statements must be used, use other measures to eliminate possible code injection success by securing resources (databases, access modules, tasks, programs, etc.). Since security checks are issued by CA IDMS as it executes the commands and the authorization permissions are cached for the life of the transaction or task, whichever ends first. The use of strongly typing parameters and validating inputs are other ways to guard against code injection when dynamic statement execution must be used.