STIGQter STIGQter: STIG Summary: EDB Postgres Advanced Server Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The EDB Postgres Advanced Server and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.

DISA Rule

SV-213610r508024_rule

Vulnerability Number

V-213610

Group Title

SRG-APP-000251-DB-000392

Rule Version

PPS9-00-006400

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Install and configure SQL/Protect as documented here:

http://www.enterprisedb.com/docs/en/9.5/eeguide/Postgres_Plus_Enterprise_Edition_Guide.1.072.html#

Alternatively, implement, document, and maintain another method of checking for the validity of inputs.

Check Contents

Execute the following SQL as enterprisedb:

SELECT * FROM sqlprotect.list_protected_users;

If the database and user that handles user input is not listed or if sqlprotect.list_protected_users does not exist (meaning SQL/Protect is not installed), and an alternative means of reviewing for vulnerable code is not in use, this is a finding.

Vulnerability Number

V-213610

Documentable

False

Rule Version

PPS9-00-006400

Severity Override Guidance

Execute the following SQL as enterprisedb:

SELECT * FROM sqlprotect.list_protected_users;

If the database and user that handles user input is not listed or if sqlprotect.list_protected_users does not exist (meaning SQL/Protect is not installed), and an alternative means of reviewing for vulnerable code is not in use, this is a finding.

Check Content Reference

M

Target Key

3988

Comments