Documentation - V-235158

V-235158

Oracle MySQL 8.0 Security Technical Implementation Guide

CAT II

Title

The MySQL Database Server 8.0 and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.

Description

<VulnDiscussion>With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. In such cases, the attacker deduces the manner in which SQL statements are being processed, either from inside knowledge or by observing system behavior in response to invalid inputs. When the attacker identifies scenarios where SQL querie...

Fix Text (Documentation Requirement)

Where dynamic code execution is used, modify the code to implement protections against code injection. Enable the MySQL Enterprise Firewall by running this script, which is located in the mysql home share sub directory. mysql -u root -p mysql < linux_install_firewall.sql Train the firewall for users where dynamic code injection is possible, for examples applications that allow user input. CALL mysql.sp_set_firewall_mode('fwuser@localhost', 'RECORDING'); Once the allowlist for the user/host has been captured, the firewall can be placed in PROTECTING (active blocking) or DETECTING(logging) mode. CALL mysql.sp_set_firewall_mode('fwuser@localhost', 'PROTECTING'); CALL mysql.sp_set_firewall_mode('fwuser@localhost', 'DETECTING');

View Full STIG Details →

Documentation Status

Status

Documented Verified - link to a ship document Awaiting Review Evidence submitted, needs verification Pending Needs documentation Not Required Documentation not needed Not Applicable STIG doesn't apply

Notes (Optional)

Cancel