UCF STIG Viewer Logo

CA IDMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.


Overview

Finding ID Version Rule ID IA Controls Severity
V-251623 IDMS-DB-000520 SV-251623r807736_rule Medium
Description
When the use of dynamic SQL is necessary, the code should be written so that the invalid data can be found and the appropriate action taken.
STIG Date
CA IDMS Security Technical Implementation Guide 2022-09-07

Details

Check Text ( C-55058r807734_chk )
If dynamic code execution is used and identified user input is not validity checked user input, this is a finding.

If SQL-defined tables, DISPLAY TABLE . . If there is not a CHECK for the columns and accompanying accepted values, this is a finding.

If network-defined records, DISPLAY SCHEMA or DISPLAY RECORD. If there is no CALL to a procedure BEFORE STORE and BEFORE MODIFY, this is a finding.

If the procedure does not validate the non-exempt columns, this is a finding.

Other applications and front-ends using mapping can use the automatic editing feature and edit and code tables to verify that an input value is valid.
Fix Text (F-55012r807735_fix)
For SQL-defined tables, ALTER TABLE . ADD CHECK (search-condition).

For network-defined records, MODIFY CALL procedure BEFORE STORE/MODIFY. Create or update procedure to validate provided record field values.

Other applications and front-ends using mapping can use the automatic editing feature and edit and code tables to verify that an input value is valid.