[
https://issues.apache.org/jira/browse/CASSANDRA-12327?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jonathan Ellis updated CASSANDRA-12327:
---------------------------------------
Issue Type: Sub-task (was: Bug)
Parent: CASSANDRA-12334
> Use of getAllByName() to retrieve IP addresses
> ----------------------------------------------
>
> Key: CASSANDRA-12327
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12327
> Project: Cassandra
> Issue Type: Sub-task
> Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5
> of the Cassandra source code. The analysis included an automated analysis
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> Use of getAllByName() to retrieve an IP addresses is not trustworthy.
> Attackers can spoof DNS entries.
> The file LimitedLocalNodeFirstLocalBalancingPolicy.java calls getAllByName()
> on line 66.
> LimitedLocalNodeFirstLocalBalancingPolicy.java, lines 64-72:
> {code:java}
> 64 try
> 65 {
> 66 InetAddress[] addresses = InetAddress.getAllByName(replica);
> 67 Collections.addAll(replicaAddresses, addresses);
> 68 }
> 69 catch (UnknownHostException e)
> 70 {
> 71 logger.warn("Invalid replica host name: {}, skipping it", replica);
> 72 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
