Check: EPAS-00-006200
EnterpriseDB Postgres Advanced Server (EPAS) STIG:
EPAS-00-006200
(in version v1 r1)
Title
The EDB Postgres Advanced Server must check the validity of all data inputs except those specifically identified by the organization. (Cat II impact)
Discussion
Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database. Even when no such hijacking takes place, invalid input that gets recorded in the database, whether accidental or malicious, reduces the reliability and usability of the system. Available protections include data types, referential constraints, uniqueness constraints, range checking, and application-specific logic. Application-specific logic can be implemented within the database in stored procedures and triggers, where appropriate.
Check Content
Review DBMS code (trigger procedures, functions), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input. If code exists that allows invalid data to be acted upon or input into the database, this is a finding. If column/field definitions do not exist in the database, this is a finding. If columns/fields do not contain constraints and validity checking where required, this is a finding. Where a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding. Where a column/field is clearly identified by name, caption, or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding. Check application code that interacts with the EDB Postgres Advanced Server database for the use of prepared statements. If prepared statements are not used, this is a finding. Execute the following SQL as the "enterprisedb" user: SELECT * FROM sqlprotect.list_protected_users; If the database and user that handles user input is not listed or if sqlprotect.list_protected_users does not exist (meaning SQL/Protect is not installed), and an alternative means of reviewing for vulnerable code is not in use, this is a finding.
Fix Text
Modify database code to properly validate data before it is put into the database or acted upon by the database. Modify the database to contain column/field definitions for each column/field in the database. Modify the database to contain constraints and validity checking on database columns and tables that require them for data integrity. Use prepared statements for user supplied inputs. Do not allow general users direct console access to the EDB Postgres Advanced Server database. If EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, install and configure SQL/Protect as documented here: https://www.enterprisedb.com/docs/epas/latest/epas_security_guide/02_protecting_against_sql_injection_attacks/02_configuring_sql_protect/ Alternatively, implement, document, and maintain another method of checking for the validity of inputs.
Additional Identifiers
Rule ID: SV-259263r938842_rule
Vulnerability ID: V-259263
Group Title: SRG-APP-000251-DB-000160
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001310 |
The information system checks the validity of organization-defined inputs. |
Controls
Number | Title |
---|---|
SI-10 |
Information Input Validation |