[jira] [Updated] (CASSANDRA-12303) Privacy Violation - Heap Inspection

Sun, 18 Nov 2018 18:21:20 -0800 


     [ 
https://issues.apache.org/jira/browse/CASSANDRA-12303?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

C. Scott Andreas updated CASSANDRA-12303:
-----------------------------------------
    Component/s: Auth

> Privacy Violation - Heap Inspection
> -----------------------------------
>
>                 Key: CASSANDRA-12303
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12303
>             Project: Cassandra
>          Issue Type: Sub-task
>          Components: Auth
>            Reporter: Eduardo Aguinaga
>            Priority: Major
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 
> of the Cassandra source code. The analysis included an automated analysis 
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools 
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> In the file AbstractJmxClient.java on lines 69 and 147 a string object is 
> used to store sensitive data. String objects are immutable and should not be 
> used to store sensitive data. Sensitive data should be stored in char or byte 
> arrays and the contents of those arrays should be cleared ASAP. Operations 
> performed on string objects will require that the original object be copied 
> and the operation be applied in the new copy of the string object. This 
> results in the likelihood that multiple copies of sensitive data will be 
> present in the heap until garbage collection takes place.
> The snippet below shows the issue on line 69:
> AbstractJmxClient.java, lines 51-71:
> {code:java}
> 51 protected final String password;
> 52 protected JMXConnection jmxConn;
> 53 protected PrintStream out = System.out;
> . . .
> 64 public AbstractJmxClient(String host, Integer port, String username, 
> String password) throws IOException
> 65 {
> 66     this.host = (host != null) ? host : DEFAULT_HOST;
> 67     this.port = (port != null) ? port : DEFAULT_JMX_PORT;
> 68     this.username = username;
> 69     this.password = password;
> 70     jmxConn = new JMXConnection(this.host, this.port, username, password);
> 71 }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to