Log workAgile BoardRank to TopRank to BottomAttach filesAttach ScreenshotBulk Copy AttachmentsBulk Move AttachmentsAdd voteVotersWatch issueWatchersConvert to IssueMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Open
    • Normal
    • Resolution: Unresolved
    • None
    • Legacy/Core
    • None

    Description

      Overview:
      In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.

      Issue:
      There are many places in the Cassandra source code that rely upon a call to getByName() to retrieve an IP address. The information returned by getByName() is not trustworthy. Attackers can spoof DNS entries and depending on getByName alone invites DNS spoofing attacks.

      getByName() is used in multiple locations within the CASSANDRA source code:
      DatabaseDescriptor.java Line 193, 213, 233, 254, 947, 949
      RingCache.java Line 82
      InetAddressType.java Line 52
      FailureDetector.java Line 186
      Gossiper.java Line 228, 571, 1517, 1522
      CqlBulkRecordWriter.java Line 142, 301
      HintsService.java Line 265
      DynamicEndpointSnitch.java Line 320
      Ec2MultiRegionSnitch.java Line 49
      EndpointSnitchInfo.java Line 46, 51
      PropertyFileSnitch.java Line 175
      ReconnectableSnitchHelper.java Line 52
      SimpleSeedProvider.java Line 55
      MessagingService.java Line 943
      StorageService.java Line 1766, 1835, 2526
      ProgressInfoCompositeData.java Line 96
      SessionInfoCompositeData.java Line 126, 127
      BulkLoader.java Line 399, 422
      SetHostStat.java Line 50

      This is an example from the file DatabaseDescriptor.java where there are examples of the use of getByName() on line 193, 213, 233, 254, 947 and 949.

      DatabaseDescriptor.java, lines 231-238:

      231 try
      232 {
      233     rpcAddress = InetAddress.getByName(config.rpc_address);
      234 }
      235 catch (UnknownHostException e)
      236 {
      237     throw new ConfigurationException("Unknown host in rpc_address " + config.rpc_address, false);
      238 }
      

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned Assign to me
            EdAInWestOC Eduardo Aguinaga

            Dates

              Created:
              Updated:

              Slack

                Issue deployment