[jira] [Updated] (CASSANDRA-12301) Privacy Violation - Heap Inspection

Sun, 18 Nov 2018 18:22:20 -0800 


     [ 
https://issues.apache.org/jira/browse/CASSANDRA-12301?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

C. Scott Andreas updated CASSANDRA-12301:
-----------------------------------------
    Component/s: Auth

> Privacy Violation - Heap Inspection
> -----------------------------------
>
>                 Key: CASSANDRA-12301
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12301
>             Project: Cassandra
>          Issue Type: Sub-task
>          Components: Auth
>            Reporter: Eduardo Aguinaga
>            Priority: Major
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 
> of the Cassandra source code. The analysis included an automated analysis 
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools 
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> In the file SSLTransportFactory.java on lines 72 and 76 a string object is 
> used to store sensitive data. String objects are immutable and should not be 
> used to store sensitive data. Sensitive data should be stored in char or byte 
> arrays and the contents of those arrays should be cleared ASAP. Operations 
> performed on string objects will require that the original object be copied 
> and the operation be applied in the new copy of the string object. This 
> results in the likelihood that multiple copies of sensitive data will be 
> present in the heap until garbage collection takes place.
> The snippet below shows the issue on lines 72 and 76:
> SSLTransportFactory.java, lines 47-81:
> {code:java}
> 47 private String truststore;
> 48 private String truststorePassword;
> 49 private String keystore;
> 50 private String keystorePassword;
> 51 private String protocol;
> 52 private String[] cipherSuites;
> . . .
> 66 @Override
> 67 public void setOptions(Map<String, String> options)
> 68 {
> 69     if (options.containsKey(TRUSTSTORE))
> 70         truststore = options.get(TRUSTSTORE);
> 71     if (options.containsKey(TRUSTSTORE_PASSWORD))
> 72         truststorePassword = options.get(TRUSTSTORE_PASSWORD);
> 73     if (options.containsKey(KEYSTORE))
> 74         keystore = options.get(KEYSTORE);
> 75     if (options.containsKey(KEYSTORE_PASSWORD))
> 76         keystorePassword = options.get(KEYSTORE_PASSWORD);
> 77     if (options.containsKey(PROTOCOL))
> 78         protocol = options.get(PROTOCOL);
> 79     if (options.containsKey(CIPHER_SUITES))
> 80         cipherSuites = options.get(CIPHER_SUITES).split(",");
> 81 }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to