CA IDMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
An XCCDF Rule
Description
<VulnDiscussion>When the use of dynamic SQL is necessary, the code should be written so that the invalid data can be found and the appropriate action taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-251623r807736_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
For SQL-defined tables, ALTER TABLE <schema-name>.<table-name> ADD CHECK (search-condition).
For network-defined records, MODIFY <record-name> CALL procedure BEFORE STORE/MODIFY. Create or update procedure to validate provided record field values.
Other applications and front-ends using mapping can use the automatic editing feature and edit and code tables to verify that an input value is valid.