[jira] [Updated] (CASSANDRA-12307) Command Injection

[Jeremiah Jordan (JIRA)]

     [ 
https://issues.apache.org/jira/browse/CASSANDRA-12307?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jeremiah Jordan updated CASSANDRA-12307:
----------------------------------------
    Reproduced In: 3.0.5
    Fix Version/s:     (was: 3.0.5)

> Command Injection
> -----------------
>
>                 Key: CASSANDRA-12307
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12307
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Eduardo Aguinaga
>            Priority: Critical
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 
> of the Cassandra source code. The analysis included an automated analysis 
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools 
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> Two commands, archiveCommand and restoreCommand, are stored as string 
> properties and retrieved on lines 91 and 92 of CommitLogArchiver.java. The 
> only processing performed on the command strings is that tokens are replaced 
> by data available at runtime. 
> A malicious command could be entered into the system by storing the malicious 
> command in place of the valid archiveCommand or restoreCommand. The malicious 
> command would then be executed on line 265 within the exec method.
> Any commands that are stored and retrieved should be verified prior to 
> execution. Assuming that the command is safe because it is stored as a local 
> property invites security issues.
> {code:java}
> CommitLogArchiver.java, lines 91-92:
> 91 String archiveCommand = commitlog_commands.getProperty("archive_command");
> 92 String restoreCommand = commitlog_commands.getProperty("restore_command");
> CommitLogArchiver.java, lines 261-266:
> 261 private void exec(String command) throws IOException
> 262 {
> 263     ProcessBuilder pb = new ProcessBuilder(command.split(" "));
> 264     pb.redirectErrorStream(true);
> 265     FBUtilities.exec(pb);
> 266 }
> CommitLogArchiver.java, lines 152-166:
> 152 public void maybeArchive(final String path, final String name)
> 153 {
> 154     if (Strings.isNullOrEmpty(archiveCommand))
> 155         return;
> 156 
> 157     archivePending.put(name, executor.submit(new WrappedRunnable()
> 158     {
> 159         protected void runMayThrow() throws IOException
> 160         {
> 161             String command = archiveCommand.replace("%name", name);
> 162             command = command.replace("%path", path);
> 163             exec(command);
> 164         }
> 165     }));
> 166 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)