[jira] [Updated] (CASSANDRA-12301) Privacy VIolation - Heap Inspection

Tue, 26 Jul 2016 13:27:07 -0700 

     [ 
https://issues.apache.org/jira/browse/CASSANDRA-12301?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jeremiah Jordan updated CASSANDRA-12301:
----------------------------------------
    Reproduced In: 3.0.5
    Fix Version/s:     (was: 3.0.5)

> Privacy VIolation - Heap Inspection
> -----------------------------------
>
>                 Key: CASSANDRA-12301
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12301
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 
> of the Cassandra source code. The analysis included an automated analysis 
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools 
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> In the file SSLTransportFactory.java on lines 72 and 76 a string object is 
> used to store sensitive data. String objects are immutable and should not be 
> used to store sensitive data. Sensitive data should be stored in char or byte 
> arrays and the contents of those arrays should be cleared ASAP. Operations 
> performed on string objects will require that the original object be copied 
> and the operation be applied in the new copy of the string object. This 
> results in the likelihood that multiple copies of sensitive data will be 
> present in the heap until garbage collection takes place.
> The snippet below shows the issue on lines 72 and 76:
> SSLTransportFactory.java, lines 47-81:
> {code:java}
> 47 private String truststore;
> 48 private String truststorePassword;
> 49 private String keystore;
> 50 private String keystorePassword;
> 51 private String protocol;
> 52 private String[] cipherSuites;
> . . .
> 66 @Override
> 67 public void setOptions(Map<String, String> options)
> 68 {
> 69     if (options.containsKey(TRUSTSTORE))
> 70         truststore = options.get(TRUSTSTORE);
> 71     if (options.containsKey(TRUSTSTORE_PASSWORD))
> 72         truststorePassword = options.get(TRUSTSTORE_PASSWORD);
> 73     if (options.containsKey(KEYSTORE))
> 74         keystore = options.get(KEYSTORE);
> 75     if (options.containsKey(KEYSTORE_PASSWORD))
> 76         keystorePassword = options.get(KEYSTORE_PASSWORD);
> 77     if (options.containsKey(PROTOCOL))
> 78         protocol = options.get(PROTOCOL);
> 79     if (options.containsKey(CIPHER_SUITES))
> 80         cipherSuites = options.get(CIPHER_SUITES).split(",");
> 81 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to