Return-Path: <commits-return-180174-archive-asf-public=cust-asf.ponee.io@cassandra.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id ECD61200B6B
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 25 Aug 2016 20:04:22 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id EB823160ABD; Thu, 25 Aug 2016 18:04:22 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 45402160AA5
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 25 Aug 2016 20:04:22 +0200 (CEST)
Received: (qmail 42471 invoked by uid 500); 25 Aug 2016 18:04:21 -0000
Mailing-List: contact commits-help@cassandra.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cassandra.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cassandra.apache.org>
List-Post: <mailto:commits@cassandra.apache.org>
List-Id: <commits.cassandra.apache.org>
Reply-To: dev@cassandra.apache.org
Delivered-To: mailing list commits@cassandra.apache.org
Received: (qmail 42424 invoked by uid 99); 25 Aug 2016 18:04:21 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Aug 2016 18:04:21 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 4DAE82C0152
	for <commits@cassandra.apache.org>; Thu, 25 Aug 2016 18:04:21 +0000 (UTC)
Date: Thu, 25 Aug 2016 18:04:21 +0000 (UTC)
From: "Eduardo Aguinaga (JIRA)" <jira@apache.org>
To: commits@cassandra.apache.org
Message-ID: <JIRA.13000108.1472148244000.412282.1472148261315@Atlassian.JIRA>
In-Reply-To: <JIRA.13000108.1472148244000@Atlassian.JIRA>
References: <JIRA.13000108.1472148244000@Atlassian.JIRA> <JIRA.13000108.1472148244787@arcas>
Subject: [jira] [Created] (CASSANDRA-12548) Improper Neutralization of
 Special Elements used in a Command ('Command Injection'), Improper
 Neutralization of Special Elements used in an OS Command ('OS Command
 Injection')
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Thu, 25 Aug 2016 18:04:23 -0000

Eduardo Aguinaga created CASSANDRA-12548:
--------------------------------------------

             Summary: Improper Neutralization of Special Elements used in a Command ('Command Injection'), Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
                 Key: CASSANDRA-12548
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12548
             Project: Cassandra
          Issue Type: Sub-task
            Reporter: Eduardo Aguinaga


Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.

Issue:
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

The source file CommitLogArchiver.java retrieves commands stored as system properties and executes these commands after replacing tokens with relevant data. The commands retrieved are not verified to ensure that the commands do not contain malicious content. An adversary could perform part of its attack on Cassandra by replacing the "archive_command" or "restore_command" property with commands to achieve their goal. 

Line numbers 141, 163, 251 and 265
{code:java}
CommitLogArchiver.java, lines 91-92:
91 String archiveCommand = commitlog_commands.getProperty("archive_command");
92 String restoreCommand = commitlog_commands.getProperty("restore_command");

CommitLogArchiver.java, lines 129-144:
129 public void maybeArchive(final CommitLogSegment segment)
130 {
131     if (Strings.isNullOrEmpty(archiveCommand))
132         return;
133 
134     archivePending.put(segment.getName(), executor.submit(new WrappedRunnable()
135     {
136         protected void runMayThrow() throws IOException
137         {
138             segment.waitForFinalSync();
139             String command = archiveCommand.replace("%name", segment.getName());
140             command = command.replace("%path", segment.getPath());
141             exec(command);
142         }
143     }));
144 }

CommitLogArchiver.java, lines 261-266:
261 private void exec(String command) throws IOException
262 {
263     ProcessBuilder pb = new ProcessBuilder(command.split(" "));
264     pb.redirectErrorStream(true);
265     FBUtilities.exec(pb);
266 }
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)