cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eduardo Aguinaga (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CASSANDRA-12332) Weak SecurityManager Check: Overridable Method
Date Wed, 27 Jul 2016 19:15:20 GMT

     [ https://issues.apache.org/jira/browse/CASSANDRA-12332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Eduardo Aguinaga updated CASSANDRA-12332:
-----------------------------------------
    Reproduced In: 3.0.5
    Fix Version/s:     (was: 3.0.5)

> Weak SecurityManager Check: Overridable Method
> ----------------------------------------------
>
>                 Key: CASSANDRA-12332
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12332
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra
source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a
manual analysis utilizing SciTools Understand v4. The results of that analysis includes the
issue below.
> Issue:
> Non-final methods that perform security checks may be overridden in ways that bypass
security checks.
> {code:java}
> CassandraDaemon.java, lines 155-165:
> 155 protected void setup()
> 156 {
> 157     // Delete any failed snapshot deletions on Windows - see CASSANDRA-9658
> 158     if (FBUtilities.isWindows())
> 159         WindowsFailedSnapshotTracker.deleteOldSnapshots();
> 160 
> 161     ThreadAwareSecurityManager.install();
> 162 
> 163     logSystemInfo();
> 164 
> 165     CLibrary.tryMlockall();
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message