[ https://issues.apache.org/jira/browse/CASSANDRA-12310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15394855#comment-15394855 ]
sankalp kohli commented on CASSANDRA-12310: ------------------------------------------- reverse DNS lookup might not be available in all environments. > Use of getByName() to retrieve IP address > ----------------------------------------- > > Key: CASSANDRA-12310 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12310 > Project: Cassandra > Issue Type: Bug > Reporter: Eduardo Aguinaga > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > There are many places in the Cassandra source code that rely upon a call to > getByName() to retrieve an IP address. The information returned by > getByName() is not trustworthy. Attackers can spoof DNS entries and depending > on getByName alone invites DNS spoofing attacks. > This is an example from the file DatabaseDescriptor.java where there are > examples of the use of getByName() on line 193, 213, 233, 254, 947 and 949. > {code:java} > DatabaseDescriptor.java, lines 231-238: > 231 try > 232 { > 233 rpcAddress = InetAddress.getByName(config.rpc_address); > 234 } > 235 catch (UnknownHostException e) > 236 { > 237 throw new ConfigurationException("Unknown host in rpc_address " + > config.rpc_address, false); > 238 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)