[ https://issues.apache.org/jira/browse/CASSANDRA-12306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jeremiah Jordan updated CASSANDRA-12306: ---------------------------------------- Reproduced In: 3.0.5 Fix Version/s: (was: 3.0.5) > Privacy VIolation - Heap Inspection > ----------------------------------- > > Key: CASSANDRA-12306 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12306 > Project: Cassandra > Issue Type: Bug > Reporter: Eduardo Aguinaga > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > In the file NodeTool.java on lines 239, 242 and 291 a string object is used > to store sensitive data. String objects are immutable and should not be used > to store sensitive data. Sensitive data should be stored in char or byte > arrays and the contents of those arrays should be cleared ASAP. Operations > performed on string objects will require that the original object be copied > and the operation be applied in the new copy of the string object. This > results in the likelihood that multiple copies of sensitive data will be > present in the heap until garbage collection takes place. > The snippet below shows the issue on line 239 and 242: > NodeTool.java, lines 229-243: > {code:java} > 229 private String password = EMPTY; > 230 > 231 @Option(type = OptionType.GLOBAL, name = {"-pwf", "--password-file"}, > description = "Path to the JMX password file") > 232 private String passwordFilePath = EMPTY; > 233 > 234 @Override > 235 public void run() > 236 { > 237 if (isNotEmpty(username)) { > 238 if (isNotEmpty(passwordFilePath)) > 239 password = readUserPasswordFromFile(username, > passwordFilePath); > 240 > 241 if (isEmpty(password)) > 242 password = promptAndReadPassword(); > 243 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)