Eduardo Aguinaga created CASSANDRA-12333:
--------------------------------------------
Summary: Password Management: Hardcoded Password
Key: CASSANDRA-12333
URL: https://issues.apache.org/jira/browse/CASSANDRA-12333
Project: Cassandra
Issue Type: Bug
Reporter: Eduardo Aguinaga
Fix For: 3.0.5
Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of
the Cassandra source code. The analysis included an automated analysis using HP
Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The
results of that analysis includes the issue below.
Issue:
Hardcoded passwords may compromise system security in a way that cannot be
easily remedied. In CassandraRoleManager.java on line 77 the default superuser
password is set to "cassandra".
CassandraRoleManager.java, lines 72-77:
{code:java}
72 public class CassandraRoleManager implements IRoleManager
73 {
74 private static final Logger logger =
LoggerFactory.getLogger(CassandraRoleManager.class);
75
76 static final String DEFAULT_SUPERUSER_NAME = "cassandra";
77 static final String DEFAULT_SUPERUSER_PASSWORD = "cassandra";
CassandraRoleManager.java, lines 326-338:
326 private static void setupDefaultRole()
327 {
328 try
329 {
330 if (!hasExistingRoles())
331 {
332 QueryProcessor.process(String.format("INSERT INTO %s.%s (role,
is_superuser, can_login, salted_hash) " +
333 "VALUES ('%s', true, true,
'%s')",
334 AuthKeyspace.NAME,
335 AuthKeyspace.ROLES,
336 DEFAULT_SUPERUSER_NAME,
337
escape(hashpw(DEFAULT_SUPERUSER_PASSWORD))),
338
consistencyForRole(DEFAULT_SUPERUSER_NAME));
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
