You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Eduardo Aguinaga (JIRA)" <ji...@apache.org> on 2016/07/27 19:09:20 UTC
[jira] [Created] (CASSANDRA-12333) Password Management: Hardcoded
Password
Eduardo Aguinaga created CASSANDRA-12333:
--------------------------------------------
Summary: Password Management: Hardcoded Password
Key: CASSANDRA-12333
URL: https://issues.apache.org/jira/browse/CASSANDRA-12333
Project: Cassandra
Issue Type: Bug
Reporter: Eduardo Aguinaga
Fix For: 3.0.5
Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.
Issue:
Hardcoded passwords may compromise system security in a way that cannot be easily remedied. In CassandraRoleManager.java on line 77 the default superuser password is set to "cassandra".
CassandraRoleManager.java, lines 72-77:
{code:java}
72 public class CassandraRoleManager implements IRoleManager
73 {
74 private static final Logger logger = LoggerFactory.getLogger(CassandraRoleManager.class);
75
76 static final String DEFAULT_SUPERUSER_NAME = "cassandra";
77 static final String DEFAULT_SUPERUSER_PASSWORD = "cassandra";
CassandraRoleManager.java, lines 326-338:
326 private static void setupDefaultRole()
327 {
328 try
329 {
330 if (!hasExistingRoles())
331 {
332 QueryProcessor.process(String.format("INSERT INTO %s.%s (role, is_superuser, can_login, salted_hash) " +
333 "VALUES ('%s', true, true, '%s')",
334 AuthKeyspace.NAME,
335 AuthKeyspace.ROLES,
336 DEFAULT_SUPERUSER_NAME,
337 escape(hashpw(DEFAULT_SUPERUSER_PASSWORD))),
338 consistencyForRole(DEFAULT_SUPERUSER_NAME));
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)