Eduardo Aguinaga created CASSANDRA-12327:
--------------------------------------------
Summary: Use of getAllByName() to retrieve IP addresses
Key: CASSANDRA-12327
URL: https://issues.apache.org/jira/browse/CASSANDRA-12327
Project: Cassandra
Issue Type: Bug
Reporter: Eduardo Aguinaga
Fix For: 3.0.5
Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of
the Cassandra source code. The analysis included an automated analysis using HP
Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The
results of that analysis includes the issue below.
Issue:
Use of getAllByName() to retrieve an IP addresses is not trustworthy. Attackers
can spoof DNS entries.
The file LimitedLocalNodeFirstLocalBalancingPolicy.java calls getAllByName() on
line 66.
LimitedLocalNodeFirstLocalBalancingPolicy.java, lines 64-72:
{code:java}
64 try
65 {
66 InetAddress[] addresses = InetAddress.getAllByName(replica);
67 Collections.addAll(replicaAddresses, addresses);
68 }
69 catch (UnknownHostException e)
70 {
71 logger.warn("Invalid replica host name: {}, skipping it", replica);
72 }
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
