Title

CA IDMS must limit the use of dynamic statements in applications, procedures, and exits to circumstances determined by the organization. (Cat II impact)

Discussion

Dynamic SQL statements are compiled at runtime and, if manipulated by an unauthorized user, can produce an innumerable array of undesired results. These statements should not be used casually.

Check Content

If EXECUTE IMMEDIATE, PREPARE, and EXECUTE statements are found while reviewing source code in applications, procedures, and exits in code that does not require it, this is a finding.

Fix Text

Modify the code to remove the dynamic statements EXECUTE IMMEDIATE, PREPARE, and EXECUTE. If these statements must be used, use other measures to eliminate possible code injection success by securing resources (databases, access modules, tasks, programs, etc.). Since security checks are issued by CA IDMS as it executes the commands and the authorization permissions are cached for the life of the transaction or task, whichever ends first. The use of strongly typing parameters and validating inputs are other ways to guard against code injection when dynamic statement execution must be used.

Additional Identifiers

Rule ID: SV-251621r808358_rule

Vulnerability ID: V-251621

Group Title: SRG-APP-000251-DB-000391

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.