STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:

The MySQL Database Server 8.0 and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.

DISA Rule

SV-235158r638812_rule

Vulnerability Number

V-235158

Group Title

SRG-APP-000251-DB-000392

Rule Version

MYS8-00-007500

Severity

CAT II

CCI(s)

• CCI-001310 - The information system checks the validity of organization-defined inputs.

Weight

10

Fix Recommendation

Where dynamic code execution is used, modify the code to implement protections against code injection.

Enable the MySQL Enterprise Firewall by running this script, which is located in the mysql home share sub directory.
mysql -u root -p mysql < linux_install_firewall.sql

Train the firewall for users where dynamic code injection is possible, for examples applications that allow user input.

CALL mysql.sp_set_firewall_mode('fwuser@localhost', 'RECORDING');

Once the allowlist for the user/host has been captured, the firewall can be placed in PROTECTING (active blocking) or DETECTING(logging) mode.
CALL mysql.sp_set_firewall_mode('fwuser@localhost', 'PROTECTING');
CALL mysql.sp_set_firewall_mode('fwuser@localhost', 'DETECTING');

Check Contents

Review MySQL Database Server 8.0 source code (stored procedures, functions, and triggers) and application source code to identify cases of dynamic code execution.

Determine if the MySQL Enterprise Firewall is installed and trained to recognize normal behavior and block or alert of abnormal requests. Run the following command:
SHOW GLOBAL VARIABLES LIKE 'mysql_firewall_mode';

Review firewall users and Mode.
SELECT * FROM INFORMATION_SCHEMA.MYSQL_FIREWALL_USERS;
If no rows are returned and no firewall allow lists are active, this is a finding.

If LEARNING is returned, the firewall is building an allow list for the userhost user.

If PROTECTING is returned, the firewall will only permit SQL on the allow list for the userhost user to execute.

If DETECTING is returned, the firewall will write to the firewall log SQL not on the allow list for the userhost user to execute.

If dynamic code execution is employed without protective measures against code injection, this is a finding.

Vulnerability Number

V-235158

Documentable

False

Rule Version

MYS8-00-007500

Severity Override Guidance

Review MySQL Database Server 8.0 source code (stored procedures, functions, and triggers) and application source code to identify cases of dynamic code execution.

Determine if the MySQL Enterprise Firewall is installed and trained to recognize normal behavior and block or alert of abnormal requests. Run the following command:
SHOW GLOBAL VARIABLES LIKE 'mysql_firewall_mode';

Review firewall users and Mode.
SELECT * FROM INFORMATION_SCHEMA.MYSQL_FIREWALL_USERS;
If no rows are returned and no firewall allow lists are active, this is a finding.

If LEARNING is returned, the firewall is building an allow list for the userhost user.

If PROTECTING is returned, the firewall will only permit SQL on the allow list for the userhost user to execute.

If DETECTING is returned, the firewall will write to the firewall log SQL not on the allow list for the userhost user to execute.

If dynamic code execution is employed without protective measures against code injection, this is a finding.

Check Content Reference

M

Target Key

5277

Comments