[
https://issues.apache.org/jira/browse/CASSANDRA-12333?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eduardo Aguinaga updated CASSANDRA-12333:
-----------------------------------------
Reproduced In: 3.0.5
Fix Version/s: (was: 3.0.5)
> Password Management: Hardcoded Password
> ---------------------------------------
>
> Key: CASSANDRA-12333
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12333
> Project: Cassandra
> Issue Type: Bug
> Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5
> of the Cassandra source code. The analysis included an automated analysis
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> Hardcoded passwords may compromise system security in a way that cannot be
> easily remedied. In CassandraRoleManager.java on line 77 the default
> superuser password is set to "cassandra".
> CassandraRoleManager.java, lines 72-77:
> {code:java}
> 72 public class CassandraRoleManager implements IRoleManager
> 73 {
> 74 private static final Logger logger =
> LoggerFactory.getLogger(CassandraRoleManager.class);
> 75
> 76 static final String DEFAULT_SUPERUSER_NAME = "cassandra";
> 77 static final String DEFAULT_SUPERUSER_PASSWORD = "cassandra";
> CassandraRoleManager.java, lines 326-338:
> 326 private static void setupDefaultRole()
> 327 {
> 328 try
> 329 {
> 330 if (!hasExistingRoles())
> 331 {
> 332 QueryProcessor.process(String.format("INSERT INTO %s.%s
> (role, is_superuser, can_login, salted_hash) " +
> 333 "VALUES ('%s', true,
> true, '%s')",
> 334 AuthKeyspace.NAME,
> 335 AuthKeyspace.ROLES,
> 336 DEFAULT_SUPERUSER_NAME,
> 337
> escape(hashpw(DEFAULT_SUPERUSER_PASSWORD))),
> 338
> consistencyForRole(DEFAULT_SUPERUSER_NAME));
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
