Eduardo Aguinaga created CASSANDRA-12327: --------------------------------------------
Summary: Use of getAllByName() to retrieve IP addresses Key: CASSANDRA-12327 URL: https://issues.apache.org/jira/browse/CASSANDRA-12327 Project: Cassandra Issue Type: Bug Reporter: Eduardo Aguinaga Fix For: 3.0.5 Overview: In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below. Issue: Use of getAllByName() to retrieve an IP addresses is not trustworthy. Attackers can spoof DNS entries. The file LimitedLocalNodeFirstLocalBalancingPolicy.java calls getAllByName() on line 66. LimitedLocalNodeFirstLocalBalancingPolicy.java, lines 64-72: {code:java} 64 try 65 { 66 InetAddress[] addresses = InetAddress.getAllByName(replica); 67 Collections.addAll(replicaAddresses, addresses); 68 } 69 catch (UnknownHostException e) 70 { 71 logger.warn("Invalid replica host name: {}, skipping it", replica); 72 } {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)