[ https://issues.apache.org/jira/browse/CASSANDRA-12307?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jeremiah Jordan updated CASSANDRA-12307: ---------------------------------------- Reproduced In: 3.0.5 Fix Version/s: (was: 3.0.5) > Command Injection > ----------------- > > Key: CASSANDRA-12307 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12307 > Project: Cassandra > Issue Type: Bug > Reporter: Eduardo Aguinaga > Priority: Critical > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > Two commands, archiveCommand and restoreCommand, are stored as string > properties and retrieved on lines 91 and 92 of CommitLogArchiver.java. The > only processing performed on the command strings is that tokens are replaced > by data available at runtime. > A malicious command could be entered into the system by storing the malicious > command in place of the valid archiveCommand or restoreCommand. The malicious > command would then be executed on line 265 within the exec method. > Any commands that are stored and retrieved should be verified prior to > execution. Assuming that the command is safe because it is stored as a local > property invites security issues. > {code:java} > CommitLogArchiver.java, lines 91-92: > 91 String archiveCommand = commitlog_commands.getProperty("archive_command"); > 92 String restoreCommand = commitlog_commands.getProperty("restore_command"); > CommitLogArchiver.java, lines 261-266: > 261 private void exec(String command) throws IOException > 262 { > 263 ProcessBuilder pb = new ProcessBuilder(command.split(" ")); > 264 pb.redirectErrorStream(true); > 265 FBUtilities.exec(pb); > 266 } > CommitLogArchiver.java, lines 152-166: > 152 public void maybeArchive(final String path, final String name) > 153 { > 154 if (Strings.isNullOrEmpty(archiveCommand)) > 155 return; > 156 > 157 archivePending.put(name, executor.submit(new WrappedRunnable() > 158 { > 159 protected void runMayThrow() throws IOException > 160 { > 161 String command = archiveCommand.replace("%name", name); > 162 command = command.replace("%path", path); > 163 exec(command); > 164 } > 165 })); > 166 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)