CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00660
- creditSnyk Research Team
Description
To reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific data centers.
How to fix?
Set start_ip_address and end_ip_address to specific IP address only, e.g. 10.0.17.62.
An invalid range has start IP set to 0.0.0.0 and end IP set to 0.0.0.0 or 255.255.255.255.
Example Configuration
"resources": [
{
"type": "Microsoft.Sql/servers/firewallRules",
"apiVersion": "2022-05-01-preview",
"name": "test660deal1/allowed",
"properties": {
"endIpAddress": "10.0.17.62",
"startIpAddress": "10.0.17.62"
},
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', 'test660deal1')]"
]
}
]
Set start_ip_address and end_ip_address to specific IP address only, e.g. 192.168.1.1.
An invalid range has start IP set to 0.0.0.0 and end IP set to 0.0.0.0 or 255.255.255.255.
Example Configuration
resource "azurerm_sql_firewall_rule" "allowed" {
name = "firewall-rule-a1"
resource_group_name = azurerm_resource_group.example660.name
server_name = azurerm_sql_server.example660.name
start_ip_address = "10.0.17.62"
end_ip_address = "10.0.17.62"
}