cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eduardo Aguinaga (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CASSANDRA-12310) Use of getByName() to retrieve IP address
Date Wed, 27 Jul 2016 17:51:20 GMT

     [ https://issues.apache.org/jira/browse/CASSANDRA-12310?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Eduardo Aguinaga updated CASSANDRA-12310:
-----------------------------------------
    Description: 
Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra
source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a
manual analysis utilizing SciTools Understand v4. The results of that analysis includes the
issue below.

Issue:
There are many places in the Cassandra source code that rely upon a call to getByName() to
retrieve an IP address. The information returned by getByName() is not trustworthy. Attackers
can spoof DNS entries and depending on getByName alone invites DNS spoofing attacks.

getByName() is used in multiple locations within the CASSANDRA source code:
DatabaseDescriptor.java Line 193, 213, 233, 254, 947, 949
RingCache.java Line 82
InetAddressType.java Line 52
FailureDetector.java Line 186
Gossiper.java Line 228, 571, 1517, 1522
CqlBulkRecordWriter.java Line 142, 301
HintsService.java Line 265
DynamicEndpointSnitch.java Line 320
Ec2MultiRegionSnitch.java Line 49
EndpointSnitchInfo.java Line 46, 51
PropertyFileSnitch.java Line 175
ReconnectableSnitchHelper.java Line 52
SimpleSeedProvider.java Line 55
MessagingService.java Line 943
StorageService.java Line 1766, 1835, 2526
ProgressInfoCompositeData.java Line 96
SessionInfoCompositeData.java Line 126, 127
BulkLoader.java Line 399, 422
SetHostStat.java Line 50

This is an example from the file DatabaseDescriptor.java where there are examples of the use
of getByName() on line 193, 213, 233, 254, 947 and 949.

DatabaseDescriptor.java, lines 231-238:
{code:java}
231 try
232 {
233     rpcAddress = InetAddress.getByName(config.rpc_address);
234 }
235 catch (UnknownHostException e)
236 {
237     throw new ConfigurationException("Unknown host in rpc_address " + config.rpc_address,
false);
238 }
{code}

  was:
Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra
source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a
manual analysis utilizing SciTools Understand v4. The results of that analysis includes the
issue below.

Issue:
There are many places in the Cassandra source code that rely upon a call to getByName() to
retrieve an IP address. The information returned by getByName() is not trustworthy. Attackers
can spoof DNS entries and depending on getByName alone invites DNS spoofing attacks.

getByName() is used in multiple locations within the CASSANDRA source code:
DatabaseDescriptor.java Line 193, 213, 233, 254, 947, 949
RingCache.java Line 82
InetAddressType.java Line 52
MutationVerbHandler.java Line 58
FailureDetector.java Line 186
Gossiper.java Line 228, 571, 1517, 1522
CqlBulkRecordWriter.java Line 142, 301
CqlRecordWriter.java Line 351
LimitedLocalNodeFirstLocalBalancingPolicy.java Line 66
HintsService.java Line 265
DynamicEndpointSnitch.java Line 320
Ec2MultiRegionSnitch.java Line 49
EndpointSnitchInfo.java Line 46, 51
PropertyFileSnitch.java Line 175
ReconnectableSnitchHelper.java Line 52
SimpleSeedProvider.java Line 55
CompactEndpointSerializationHelper.java Line 38
MessagingService.java Line 943
InetAddressSerializer.java Line 38, 58
StorageService.java Line 1766, 1835, 2526
ProgressInfoCompositeData.java Line 96
SessionInfoCompositeData.java Line 126, 127
BulkLoader.java Line 399, 422
SetHostStat.java Line 50

This is an example from the file DatabaseDescriptor.java where there are examples of the use
of getByName() on line 193, 213, 233, 254, 947 and 949.

DatabaseDescriptor.java, lines 231-238:
{code:java}
231 try
232 {
233     rpcAddress = InetAddress.getByName(config.rpc_address);
234 }
235 catch (UnknownHostException e)
236 {
237     throw new ConfigurationException("Unknown host in rpc_address " + config.rpc_address,
false);
238 }
{code}


> Use of getByName() to retrieve IP address
> -----------------------------------------
>
>                 Key: CASSANDRA-12310
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12310
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra
source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a
manual analysis utilizing SciTools Understand v4. The results of that analysis includes the
issue below.
> Issue:
> There are many places in the Cassandra source code that rely upon a call to getByName()
to retrieve an IP address. The information returned by getByName() is not trustworthy. Attackers
can spoof DNS entries and depending on getByName alone invites DNS spoofing attacks.
> getByName() is used in multiple locations within the CASSANDRA source code:
> DatabaseDescriptor.java Line 193, 213, 233, 254, 947, 949
> RingCache.java Line 82
> InetAddressType.java Line 52
> FailureDetector.java Line 186
> Gossiper.java Line 228, 571, 1517, 1522
> CqlBulkRecordWriter.java Line 142, 301
> HintsService.java Line 265
> DynamicEndpointSnitch.java Line 320
> Ec2MultiRegionSnitch.java Line 49
> EndpointSnitchInfo.java Line 46, 51
> PropertyFileSnitch.java Line 175
> ReconnectableSnitchHelper.java Line 52
> SimpleSeedProvider.java Line 55
> MessagingService.java Line 943
> StorageService.java Line 1766, 1835, 2526
> ProgressInfoCompositeData.java Line 96
> SessionInfoCompositeData.java Line 126, 127
> BulkLoader.java Line 399, 422
> SetHostStat.java Line 50
> This is an example from the file DatabaseDescriptor.java where there are examples of
the use of getByName() on line 193, 213, 233, 254, 947 and 949.
> DatabaseDescriptor.java, lines 231-238:
> {code:java}
> 231 try
> 232 {
> 233     rpcAddress = InetAddress.getByName(config.rpc_address);
> 234 }
> 235 catch (UnknownHostException e)
> 236 {
> 237     throw new ConfigurationException("Unknown host in rpc_address " + config.rpc_address,
false);
> 238 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message