You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "Eduardo Aguinaga (JIRA)" <ji...@apache.org> on 2016/07/27 19:03:20 UTC

[jira] [Created] (CASSANDRA-12332) Weak SecurityManager Check: Overridable Method

Eduardo Aguinaga created CASSANDRA-12332:
--------------------------------------------

             Summary: Weak SecurityManager Check: Overridable Method
                 Key: CASSANDRA-12332
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12332
             Project: Cassandra
          Issue Type: Bug
            Reporter: Eduardo Aguinaga
             Fix For: 3.0.5


Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.

Issue:
Non-final methods that perform security checks may be overridden in ways that bypass security checks.

{code:java}
CassandraDaemon.java, lines 155-165:
155 protected void setup()
156 {
157     // Delete any failed snapshot deletions on Windows - see CASSANDRA-9658
158     if (FBUtilities.isWindows())
159         WindowsFailedSnapshotTracker.deleteOldSnapshots();
160 
161     ThreadAwareSecurityManager.install();
162 
163     logSystemInfo();
164 
165     CLibrary.tryMlockall();
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)