cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eduardo Aguinaga (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CASSANDRA-12333) Password Management: Hardcoded Password
Date Wed, 27 Jul 2016 19:14:20 GMT

     [ https://issues.apache.org/jira/browse/CASSANDRA-12333?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Eduardo Aguinaga updated CASSANDRA-12333:
-----------------------------------------
    Reproduced In: 3.0.5
    Fix Version/s:     (was: 3.0.5)

> Password Management: Hardcoded Password
> ---------------------------------------
>
>                 Key: CASSANDRA-12333
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12333
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra
source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a
manual analysis utilizing SciTools Understand v4. The results of that analysis includes the
issue below.
> Issue:
> Hardcoded passwords may compromise system security in a way that cannot be easily remedied.
In CassandraRoleManager.java on line 77 the default superuser password is set to "cassandra".
> CassandraRoleManager.java, lines 72-77:
> {code:java}
> 72 public class CassandraRoleManager implements IRoleManager
> 73 {
> 74     private static final Logger logger = LoggerFactory.getLogger(CassandraRoleManager.class);
> 75 
> 76     static final String DEFAULT_SUPERUSER_NAME = "cassandra";
> 77     static final String DEFAULT_SUPERUSER_PASSWORD = "cassandra";
> CassandraRoleManager.java, lines 326-338:
> 326 private static void setupDefaultRole()
> 327 {
> 328     try
> 329     {
> 330         if (!hasExistingRoles())
> 331         {
> 332             QueryProcessor.process(String.format("INSERT INTO %s.%s (role, is_superuser,
can_login, salted_hash) " +
> 333                                                  "VALUES ('%s', true, true, '%s')",
> 334                                                  AuthKeyspace.NAME,
> 335                                                  AuthKeyspace.ROLES,
> 336                                                  DEFAULT_SUPERUSER_NAME,
> 337                                                  escape(hashpw(DEFAULT_SUPERUSER_PASSWORD))),
> 338                                    consistencyForRole(DEFAULT_SUPERUSER_NAME));
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message