You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "C. Scott Andreas (JIRA)" <ji...@apache.org> on 2018/11/19 02:18:01 UTC

[jira] [Updated] (CASSANDRA-12333) Password Management: Hardcoded Password

     [ https://issues.apache.org/jira/browse/CASSANDRA-12333?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

C. Scott Andreas updated CASSANDRA-12333:
-----------------------------------------
    Component/s: Auth

> Password Management: Hardcoded Password
> ---------------------------------------
>
>                 Key: CASSANDRA-12333
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12333
>             Project: Cassandra
>          Issue Type: Sub-task
>          Components: Auth
>            Reporter: Eduardo Aguinaga
>            Priority: Major
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.
> Issue:
> Hardcoded passwords may compromise system security in a way that cannot be easily remedied. In CassandraRoleManager.java on line 77 the default superuser password is set to "cassandra".
> CassandraRoleManager.java, lines 72-77:
> {code:java}
> 72 public class CassandraRoleManager implements IRoleManager
> 73 {
> 74     private static final Logger logger = LoggerFactory.getLogger(CassandraRoleManager.class);
> 75 
> 76     static final String DEFAULT_SUPERUSER_NAME = "cassandra";
> 77     static final String DEFAULT_SUPERUSER_PASSWORD = "cassandra";
> CassandraRoleManager.java, lines 326-338:
> 326 private static void setupDefaultRole()
> 327 {
> 328     try
> 329     {
> 330         if (!hasExistingRoles())
> 331         {
> 332             QueryProcessor.process(String.format("INSERT INTO %s.%s (role, is_superuser, can_login, salted_hash) " +
> 333                                                  "VALUES ('%s', true, true, '%s')",
> 334                                                  AuthKeyspace.NAME,
> 335                                                  AuthKeyspace.ROLES,
> 336                                                  DEFAULT_SUPERUSER_NAME,
> 337                                                  escape(hashpw(DEFAULT_SUPERUSER_PASSWORD))),
> 338                                    consistencyForRole(DEFAULT_SUPERUSER_NAME));
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org