Eduardo Aguinaga created CASSANDRA-12310:
--------------------------------------------
Summary: Use of getByName() to retrieve IP address
Key: CASSANDRA-12310
URL: https://issues.apache.org/jira/browse/CASSANDRA-12310
Project: Cassandra
Issue Type: Bug
Reporter: Eduardo Aguinaga
Fix For: 3.0.5
Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of
the Cassandra source code. The analysis included an automated analysis using HP
Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The
results of that analysis includes the issue below.
Issue:
There are many places in the Cassandra source code that rely upon a call to
getByName() to retrieve an IP address. The information returned by getByName()
is not trustworthy. Attackers can spoof DNS entries and depending on getByName
alone invites DNS spoofing attacks.
This is an example from the file DatabaseDescriptor.java where there are
examples of the use of getByName() on line 193, 213, 233, 254, 947 and 949.
{code:java}
DatabaseDescriptor.java, lines 231-238:
231 try
232 {
233 rpcAddress = InetAddress.getByName(config.rpc_address);
234 }
235 catch (UnknownHostException e)
236 {
237 throw new ConfigurationException("Unknown host in rpc_address " +
config.rpc_address, false);
238 }
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
