[ https://issues.apache.org/jira/browse/CASSANDRA-12333?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eduardo Aguinaga updated CASSANDRA-12333: ----------------------------------------- Reproduced In: 3.0.5 Fix Version/s: (was: 3.0.5) > Password Management: Hardcoded Password > --------------------------------------- > > Key: CASSANDRA-12333 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12333 > Project: Cassandra > Issue Type: Bug > Reporter: Eduardo Aguinaga > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > Hardcoded passwords may compromise system security in a way that cannot be > easily remedied. In CassandraRoleManager.java on line 77 the default > superuser password is set to "cassandra". > CassandraRoleManager.java, lines 72-77: > {code:java} > 72 public class CassandraRoleManager implements IRoleManager > 73 { > 74 private static final Logger logger = > LoggerFactory.getLogger(CassandraRoleManager.class); > 75 > 76 static final String DEFAULT_SUPERUSER_NAME = "cassandra"; > 77 static final String DEFAULT_SUPERUSER_PASSWORD = "cassandra"; > CassandraRoleManager.java, lines 326-338: > 326 private static void setupDefaultRole() > 327 { > 328 try > 329 { > 330 if (!hasExistingRoles()) > 331 { > 332 QueryProcessor.process(String.format("INSERT INTO %s.%s > (role, is_superuser, can_login, salted_hash) " + > 333 "VALUES ('%s', true, > true, '%s')", > 334 AuthKeyspace.NAME, > 335 AuthKeyspace.ROLES, > 336 DEFAULT_SUPERUSER_NAME, > 337 > escape(hashpw(DEFAULT_SUPERUSER_PASSWORD))), > 338 > consistencyForRole(DEFAULT_SUPERUSER_NAME)); > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)