CA IDMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-251623 | IDMS-DB-000520 | SV-251623r961158_rule | Medium |
| Description |
| When the use of dynamic SQL is necessary, the code should be written so that the invalid data can be found and the appropriate action taken. |
| STIG | Date |
| CA IDMS Security Technical Implementation Guide | 2024-09-13 |
Details
| Check Text (C-55058r807734_chk) |
| If dynamic code execution is used and identified user input is not validity checked user input, this is a finding. If SQL-defined tables, DISPLAY TABLE <schema-name>.<table-name> . If there is not a CHECK for the columns and accompanying accepted values, this is a finding. If network-defined records, DISPLAY SCHEMA or DISPLAY RECORD. If there is no CALL to a procedure BEFORE STORE and BEFORE MODIFY, this is a finding. If the procedure does not validate the non-exempt columns, this is a finding. Other applications and front-ends using mapping can use the automatic editing feature and edit and code tables to verify that an input value is valid. |
| Fix Text (F-55012r807735_fix) |
| For SQL-defined tables, ALTER TABLE <schema-name>.<table-name> ADD CHECK (search-condition). For network-defined records, MODIFY <record-name> CALL procedure BEFORE STORE/MODIFY. Create or update procedure to validate provided record field values. Other applications and front-ends using mapping can use the automatic editing feature and edit and code tables to verify that an input value is valid. |