[
https://issues.apache.org/jira/browse/CASSANDRA-12310?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eduardo Aguinaga updated CASSANDRA-12310:
-----------------------------------------
Description:
Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of
the Cassandra source code. The analysis included an automated analysis using HP
Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The
results of that analysis includes the issue below.
Issue:
There are many places in the Cassandra source code that rely upon a call to
getByName() to retrieve an IP address. The information returned by getByName()
is not trustworthy. Attackers can spoof DNS entries and depending on getByName
alone invites DNS spoofing attacks.
getByName() is used in multiple locations within the CASSANDRA source code:
DatabaseDescriptor.java Line 193, 213, 233, 254, 947, 949
RingCache.java Line 82
InetAddressType.java Line 52
MutationVerbHandler.java Line 58
FailureDetector.java Line 186
Gossiper.java Line 228, 571, 1517, 1522
CqlBulkRecordWriter.java Line 142, 301
CqlRecordWriter.java Line 351
LimitedLocalNodeFirstLocalBalancingPolicy.java Line 66
HintsService.java Line 265
DynamicEndpointSnitch.java Line 320
Ec2MultiRegionSnitch.java Line 49
EndpointSnitchInfo.java Line 46, 51
PropertyFileSnitch.java Line 175
ReconnectableSnitchHelper.java Line 52
SimpleSeedProvider.java Line 55
CompactEndpointSerializationHelper.java Line 38
MessagingService.java Line 943
InetAddressSerializer.java Line 38, 58
StorageService.java Line 1766, 1835, 2526
ProgressInfoCompositeData.java Line 96
SessionInfoCompositeData.java Line 126, 127
BulkLoader.java Line 399, 422
SetHostStat.java Line 50
This is an example from the file DatabaseDescriptor.java where there are
examples of the use of getByName() on line 193, 213, 233, 254, 947 and 949.
{code:java}
DatabaseDescriptor.java, lines 231-238:
231 try
232 {
233 rpcAddress = InetAddress.getByName(config.rpc_address);
234 }
235 catch (UnknownHostException e)
236 {
237 throw new ConfigurationException("Unknown host in rpc_address " +
config.rpc_address, false);
238 }
{code}
was:
Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of
the Cassandra source code. The analysis included an automated analysis using HP
Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The
results of that analysis includes the issue below.
Issue:
There are many places in the Cassandra source code that rely upon a call to
getByName() to retrieve an IP address. The information returned by getByName()
is not trustworthy. Attackers can spoof DNS entries and depending on getByName
alone invites DNS spoofing attacks.
This is an example from the file DatabaseDescriptor.java where there are
examples of the use of getByName() on line 193, 213, 233, 254, 947 and 949.
{code:java}
DatabaseDescriptor.java, lines 231-238:
231 try
232 {
233 rpcAddress = InetAddress.getByName(config.rpc_address);
234 }
235 catch (UnknownHostException e)
236 {
237 throw new ConfigurationException("Unknown host in rpc_address " +
config.rpc_address, false);
238 }
{code}
> Use of getByName() to retrieve IP address
> -----------------------------------------
>
> Key: CASSANDRA-12310
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12310
> Project: Cassandra
> Issue Type: Bug
> Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5
> of the Cassandra source code. The analysis included an automated analysis
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> There are many places in the Cassandra source code that rely upon a call to
> getByName() to retrieve an IP address. The information returned by
> getByName() is not trustworthy. Attackers can spoof DNS entries and depending
> on getByName alone invites DNS spoofing attacks.
> getByName() is used in multiple locations within the CASSANDRA source code:
> DatabaseDescriptor.java Line 193, 213, 233, 254, 947, 949
> RingCache.java Line 82
> InetAddressType.java Line 52
> MutationVerbHandler.java Line 58
> FailureDetector.java Line 186
> Gossiper.java Line 228, 571, 1517, 1522
> CqlBulkRecordWriter.java Line 142, 301
> CqlRecordWriter.java Line 351
> LimitedLocalNodeFirstLocalBalancingPolicy.java Line 66
> HintsService.java Line 265
> DynamicEndpointSnitch.java Line 320
> Ec2MultiRegionSnitch.java Line 49
> EndpointSnitchInfo.java Line 46, 51
> PropertyFileSnitch.java Line 175
> ReconnectableSnitchHelper.java Line 52
> SimpleSeedProvider.java Line 55
> CompactEndpointSerializationHelper.java Line 38
> MessagingService.java Line 943
> InetAddressSerializer.java Line 38, 58
> StorageService.java Line 1766, 1835, 2526
> ProgressInfoCompositeData.java Line 96
> SessionInfoCompositeData.java Line 126, 127
> BulkLoader.java Line 399, 422
> SetHostStat.java Line 50
> This is an example from the file DatabaseDescriptor.java where there are
> examples of the use of getByName() on line 193, 213, 233, 254, 947 and 949.
> {code:java}
> DatabaseDescriptor.java, lines 231-238:
> 231 try
> 232 {
> 233 rpcAddress = InetAddress.getByName(config.rpc_address);
> 234 }
> 235 catch (UnknownHostException e)
> 236 {
> 237 throw new ConfigurationException("Unknown host in rpc_address " +
> config.rpc_address, false);
> 238 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
