You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "C. Scott Andreas (JIRA)" <ji...@apache.org> on 2018/11/19 02:18:01 UTC

[jira] [Updated] (CASSANDRA-12326) Use of getByAddress() to retrieve InetAddress object

     [ https://issues.apache.org/jira/browse/CASSANDRA-12326?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

C. Scott Andreas updated CASSANDRA-12326:
-----------------------------------------
    Component/s: Core

> Use of getByAddress() to retrieve InetAddress object
> ----------------------------------------------------
>
>                 Key: CASSANDRA-12326
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12326
>             Project: Cassandra
>          Issue Type: Sub-task
>          Components: Core
>            Reporter: Eduardo Aguinaga
>            Priority: Major
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.
> Issue:
> There are four places in the Cassandra source code that rely upon a call to getByAddress() to retrieve an InetAddress object. The information returned by getByAddress() is not trustworthy. Attackers can spoof DNS entries and depending on getByAddress alone invites DNS spoofing attacks.
> The four places in the Cassandra source code where getByAddress() is used:
> MutationVerbHandler.java Line 58
> CompactEndpointSerializationHelper.java Line 38
> InetAddressSerializer.java Line 38, 58
> MutationVerbHandler.java, lines 49-59:
> {code:java}
> 49 if (from == null)
> 50 {
> 51     replyTo = message.from;
> 52     byte[] forwardBytes = message.parameters.get(Mutation.FORWARD_TO);
> 53     if (forwardBytes != null)
> 54         forwardToLocalNodes(message.payload, message.verb, forwardBytes, message.from);
> 55 }
> 56 else
> 57 {
> 58     replyTo = InetAddress.getByAddress(from);
> 59 }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org