[ https://issues.apache.org/jira/browse/CASSANDRA-12303?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
C. Scott Andreas updated CASSANDRA-12303: ----------------------------------------- Component/s: Auth > Privacy Violation - Heap Inspection > ----------------------------------- > > Key: CASSANDRA-12303 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12303 > Project: Cassandra > Issue Type: Sub-task > Components: Auth > Reporter: Eduardo Aguinaga > Priority: Major > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > In the file AbstractJmxClient.java on lines 69 and 147 a string object is > used to store sensitive data. String objects are immutable and should not be > used to store sensitive data. Sensitive data should be stored in char or byte > arrays and the contents of those arrays should be cleared ASAP. Operations > performed on string objects will require that the original object be copied > and the operation be applied in the new copy of the string object. This > results in the likelihood that multiple copies of sensitive data will be > present in the heap until garbage collection takes place. > The snippet below shows the issue on line 69: > AbstractJmxClient.java, lines 51-71: > {code:java} > 51 protected final String password; > 52 protected JMXConnection jmxConn; > 53 protected PrintStream out = System.out; > . . . > 64 public AbstractJmxClient(String host, Integer port, String username, > String password) throws IOException > 65 { > 66 this.host = (host != null) ? host : DEFAULT_HOST; > 67 this.port = (port != null) ? port : DEFAULT_JMX_PORT; > 68 this.username = username; > 69 this.password = password; > 70 jmxConn = new JMXConnection(this.host, this.port, username, password); > 71 } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org