[ https://issues.apache.org/jira/browse/CASSANDRA-12322?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jeremiah Jordan updated CASSANDRA-12322: ---------------------------------------- Reproduced In: 3.0.5 Fix Version/s: (was: 3.0.5) > Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select > Classes or Code > ------------------------------------------------------------------------------------------ > > Key: CASSANDRA-12322 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12322 > Project: Cassandra > Issue Type: Bug > Reporter: Eduardo Aguinaga > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > Dynamically loaded code has the potential to be malicious. The application > uses external input to select which classes or code to use, but it does not > sufficiently prevent the input from selecting improper classes or code. > The snippet below shows the issue on lines 112-116 by instantiating a class > by name. > FastByteOperations.java, lines 103-127: > {code:java} > 103 static ByteOperations getBest() > 104 { > 105 String arch = System.getProperty("os.arch"); > 106 boolean unaligned = arch.equals("i386") || arch.equals("x86") > 107 || arch.equals("amd64") || > arch.equals("x86_64") || arch.equals("s390x"); > 108 if (!unaligned) > 109 return new PureJavaOperations(); > 110 try > 111 { > 112 Class<?> theClass = Class.forName(UNSAFE_COMPARER_NAME); > 113 > 114 // yes, UnsafeComparer does implement Comparer<byte[]> > 115 @SuppressWarnings("unchecked") > 116 ByteOperations comparer = (ByteOperations) > theClass.getConstructor().newInstance(); > 117 return comparer; > 118 } > 119 catch (Throwable t) > 120 { > 121 JVMStabilityInspector.inspectThrowable(t); > 122 // ensure we really catch *everything* > 123 return new PureJavaOperations(); > 124 } > 125 } > 126 > 127 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)