Eduardo Aguinaga created CASSANDRA-12333: --------------------------------------------
Summary: Password Management: Hardcoded Password Key: CASSANDRA-12333 URL: https://issues.apache.org/jira/browse/CASSANDRA-12333 Project: Cassandra Issue Type: Bug Reporter: Eduardo Aguinaga Fix For: 3.0.5 Overview: In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below. Issue: Hardcoded passwords may compromise system security in a way that cannot be easily remedied. In CassandraRoleManager.java on line 77 the default superuser password is set to "cassandra". CassandraRoleManager.java, lines 72-77: {code:java} 72 public class CassandraRoleManager implements IRoleManager 73 { 74 private static final Logger logger = LoggerFactory.getLogger(CassandraRoleManager.class); 75 76 static final String DEFAULT_SUPERUSER_NAME = "cassandra"; 77 static final String DEFAULT_SUPERUSER_PASSWORD = "cassandra"; CassandraRoleManager.java, lines 326-338: 326 private static void setupDefaultRole() 327 { 328 try 329 { 330 if (!hasExistingRoles()) 331 { 332 QueryProcessor.process(String.format("INSERT INTO %s.%s (role, is_superuser, can_login, salted_hash) " + 333 "VALUES ('%s', true, true, '%s')", 334 AuthKeyspace.NAME, 335 AuthKeyspace.ROLES, 336 DEFAULT_SUPERUSER_NAME, 337 escape(hashpw(DEFAULT_SUPERUSER_PASSWORD))), 338 consistencyForRole(DEFAULT_SUPERUSER_NAME)); {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)