[ https://issues.apache.org/jira/browse/CASSANDRA-12301?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eduardo Aguinaga updated CASSANDRA-12301: ----------------------------------------- Summary: Privacy Violation - Heap Inspection (was: Privacy VIolation - Heap Inspection) > Privacy Violation - Heap Inspection > ----------------------------------- > > Key: CASSANDRA-12301 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12301 > Project: Cassandra > Issue Type: Bug > Reporter: Eduardo Aguinaga > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > In the file SSLTransportFactory.java on lines 72 and 76 a string object is > used to store sensitive data. String objects are immutable and should not be > used to store sensitive data. Sensitive data should be stored in char or byte > arrays and the contents of those arrays should be cleared ASAP. Operations > performed on string objects will require that the original object be copied > and the operation be applied in the new copy of the string object. This > results in the likelihood that multiple copies of sensitive data will be > present in the heap until garbage collection takes place. > The snippet below shows the issue on lines 72 and 76: > SSLTransportFactory.java, lines 47-81: > {code:java} > 47 private String truststore; > 48 private String truststorePassword; > 49 private String keystore; > 50 private String keystorePassword; > 51 private String protocol; > 52 private String[] cipherSuites; > . . . > 66 @Override > 67 public void setOptions(Map<String, String> options) > 68 { > 69 if (options.containsKey(TRUSTSTORE)) > 70 truststore = options.get(TRUSTSTORE); > 71 if (options.containsKey(TRUSTSTORE_PASSWORD)) > 72 truststorePassword = options.get(TRUSTSTORE_PASSWORD); > 73 if (options.containsKey(KEYSTORE)) > 74 keystore = options.get(KEYSTORE); > 75 if (options.containsKey(KEYSTORE_PASSWORD)) > 76 keystorePassword = options.get(KEYSTORE_PASSWORD); > 77 if (options.containsKey(PROTOCOL)) > 78 protocol = options.get(PROTOCOL); > 79 if (options.containsKey(CIPHER_SUITES)) > 80 cipherSuites = options.get(CIPHER_SUITES).split(","); > 81 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)