Check: MD3X-00-000500
MongoDB Enterprise Advanced 3.x STIG:
MD3X-00-000500
(in versions v2 r2 through v1 r1)
Title
MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it. (Cat II impact)
Discussion
With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. In such cases, the attacker deduces the manner in which SQL statements are being processed, either from inside knowledge or by observing system behavior in response to invalid inputs. When the attacker identifies scenarios where SQL queries are being assembled by application code (which may be within the database or separate from it) and executed dynamically, the attacker is then able to craft input strings that subvert the intent of the query. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database. The principal protection against code injection is not to use dynamic execution except where it provides necessary functionality that cannot be utilized otherwise. Use strongly typed data items rather than general-purpose strings as input parameters to task-specific, pre-compiled stored procedures and functions (and triggers). This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered. Satisfies: SRG-APP-000251-DB-000391, SRG-APP-000251-DB-000392
Check Content
MongoDB operations permit arbitrary JavaScript expressions to be run directly on the server. If the following parameter is not present or not set as show below in the MongoDB configuration file (default location: /etc/mongod.conf), this is a finding. security: javascriptEnabled: "false"
Fix Text
Disable the "javascriptEnabled" option. Edit the MongoDB configuration file (default location: /etc/mongod.conf" to include the following: security: javascriptEnabled: false
Additional Identifiers
Rule ID: SV-221182r879652_rule
Vulnerability ID: V-221182
Group Title: SRG-APP-000251-DB-000391
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001310 |
The information system checks the validity of organization-defined inputs. |
Controls
Number | Title |
---|---|
SI-10 |
Information Input Validation |