You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "C. Scott Andreas (JIRA)" <ji...@apache.org> on 2018/11/19 02:18:01 UTC
[jira] [Updated] (CASSANDRA-12333) Password Management: Hardcoded
Password
[ https://issues.apache.org/jira/browse/CASSANDRA-12333?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
C. Scott Andreas updated CASSANDRA-12333:
-----------------------------------------
Component/s: Auth
> Password Management: Hardcoded Password
> ---------------------------------------
>
> Key: CASSANDRA-12333
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12333
> Project: Cassandra
> Issue Type: Sub-task
> Components: Auth
> Reporter: Eduardo Aguinaga
> Priority: Major
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.
> Issue:
> Hardcoded passwords may compromise system security in a way that cannot be easily remedied. In CassandraRoleManager.java on line 77 the default superuser password is set to "cassandra".
> CassandraRoleManager.java, lines 72-77:
> {code:java}
> 72 public class CassandraRoleManager implements IRoleManager
> 73 {
> 74 private static final Logger logger = LoggerFactory.getLogger(CassandraRoleManager.class);
> 75
> 76 static final String DEFAULT_SUPERUSER_NAME = "cassandra";
> 77 static final String DEFAULT_SUPERUSER_PASSWORD = "cassandra";
> CassandraRoleManager.java, lines 326-338:
> 326 private static void setupDefaultRole()
> 327 {
> 328 try
> 329 {
> 330 if (!hasExistingRoles())
> 331 {
> 332 QueryProcessor.process(String.format("INSERT INTO %s.%s (role, is_superuser, can_login, salted_hash) " +
> 333 "VALUES ('%s', true, true, '%s')",
> 334 AuthKeyspace.NAME,
> 335 AuthKeyspace.ROLES,
> 336 DEFAULT_SUPERUSER_NAME,
> 337 escape(hashpw(DEFAULT_SUPERUSER_PASSWORD))),
> 338 consistencyForRole(DEFAULT_SUPERUSER_NAME));
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org