You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "Eduardo Aguinaga (JIRA)" <ji...@apache.org> on 2016/07/27 18:12:20 UTC

[jira] [Created] (CASSANDRA-12326) Use of getByAddress() to retrieve InetAddress object

Eduardo Aguinaga created CASSANDRA-12326:
--------------------------------------------

             Summary: Use of getByAddress() to retrieve InetAddress object
                 Key: CASSANDRA-12326
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12326
             Project: Cassandra
          Issue Type: Bug
            Reporter: Eduardo Aguinaga
             Fix For: 3.0.5


Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.

Issue:
There are four places in the Cassandra source code that rely upon a call to getByAddress() to retrieve an InetAddress object. The information returned by getByAddress() is not trustworthy. Attackers can spoof DNS entries and depending on getByAddress alone invites DNS spoofing attacks.

The four places in the Cassandra source code where getByAddress() is used:
MutationVerbHandler.java Line 58
CompactEndpointSerializationHelper.java Line 38
InetAddressSerializer.java Line 38, 58

MutationVerbHandler.java, lines 49-59:
{code:java}
49 if (from == null)
50 {
51     replyTo = message.from;
52     byte[] forwardBytes = message.parameters.get(Mutation.FORWARD_TO);
53     if (forwardBytes != null)
54         forwardToLocalNodes(message.payload, message.verb, forwardBytes, message.from);
55 }
56 else
57 {
58     replyTo = InetAddress.getByAddress(from);
59 }
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)