Details
-
Sub-task
-
Status: Open
-
Normal
-
Resolution: Unresolved
-
None
-
None
Description
Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.
Issue:
There are many places in the Cassandra source code that rely upon a call to getByName() to retrieve an IP address. The information returned by getByName() is not trustworthy. Attackers can spoof DNS entries and depending on getByName alone invites DNS spoofing attacks.
getByName() is used in multiple locations within the CASSANDRA source code:
DatabaseDescriptor.java Line 193, 213, 233, 254, 947, 949
RingCache.java Line 82
InetAddressType.java Line 52
FailureDetector.java Line 186
Gossiper.java Line 228, 571, 1517, 1522
CqlBulkRecordWriter.java Line 142, 301
HintsService.java Line 265
DynamicEndpointSnitch.java Line 320
Ec2MultiRegionSnitch.java Line 49
EndpointSnitchInfo.java Line 46, 51
PropertyFileSnitch.java Line 175
ReconnectableSnitchHelper.java Line 52
SimpleSeedProvider.java Line 55
MessagingService.java Line 943
StorageService.java Line 1766, 1835, 2526
ProgressInfoCompositeData.java Line 96
SessionInfoCompositeData.java Line 126, 127
BulkLoader.java Line 399, 422
SetHostStat.java Line 50
This is an example from the file DatabaseDescriptor.java where there are examples of the use of getByName() on line 193, 213, 233, 254, 947 and 949.
DatabaseDescriptor.java, lines 231-238:
231 try 232 { 233 rpcAddress = InetAddress.getByName(config.rpc_address); 234 } 235 catch (UnknownHostException e) 236 { 237 throw new ConfigurationException("Unknown host in rpc_address " + config.rpc_address, false); 238 }