cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eduardo Aguinaga (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CASSANDRA-12310) Use of getByName() to retrieve IP address
Date Tue, 26 Jul 2016 19:12:20 GMT
Eduardo Aguinaga created CASSANDRA-12310:
--------------------------------------------

             Summary: Use of getByName() to retrieve IP address
                 Key: CASSANDRA-12310
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12310
             Project: Cassandra
          Issue Type: Bug
            Reporter: Eduardo Aguinaga
             Fix For: 3.0.5


Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra
source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a
manual analysis utilizing SciTools Understand v4. The results of that analysis includes the
issue below.

Issue:
There are many places in the Cassandra source code that rely upon a call to getByName() to
retrieve an IP address. The information returned by getByName() is not trustworthy. Attackers
can spoof DNS entries and depending on getByName alone invites DNS spoofing attacks.

This is an example from the file DatabaseDescriptor.java where there are examples of the use
of getByName() on line 193, 213, 233, 254, 947 and 949.

{code:java}
DatabaseDescriptor.java, lines 231-238:
231 try
232 {
233     rpcAddress = InetAddress.getByName(config.rpc_address);
234 }
235 catch (UnknownHostException e)
236 {
237     throw new ConfigurationException("Unknown host in rpc_address " + config.rpc_address,
false);
238 }
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message