Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-12334 HP Fortify Analysis
  3. CASSANDRA-12540

Password Management: Hardcoded Password

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Open
    • Normal
    • Resolution: Unresolved
    • None
    • Feature/Authorization
    • None

    Description

      Overview:
      In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.

      Issue:
      In the file EncryptionOptions.java there are hard coded passwords on lines 23 and 25.

      EncryptionOptions.java, lines 20-30:
20 public abstract class EncryptionOptions
21 {
22     public String keystore = "conf/.keystore";
23     public String keystore_password = "cassandra";
24     public String truststore = "conf/.truststore";
25     public String truststore_password = "cassandra";
26     public String[] cipher_suites = {
27         "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA",
28         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
29         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" 
30     };

      Attachments

        1. 12540-trunk.patch
          2 kB
          Stefan Podkowinski

        Issue Links

          depends upon

          Bug - A problem which impairs or prevents the functions of the product. CASSANDRA-12773 cassandra-stress error for one way SSL

          • Normal -
          • Resolved

          Activity

            People

              Unassigned Unassigned
              EdAInWestOC Eduardo Aguinaga
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: