[ https://issues.apache.org/jira/browse/CASSANDRA-12326?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eduardo Aguinaga updated CASSANDRA-12326: ----------------------------------------- Reproduced In: 3.0.5 Fix Version/s: (was: 3.0.5) > Use of getByAddress() to retrieve InetAddress object > ---------------------------------------------------- > > Key: CASSANDRA-12326 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12326 > Project: Cassandra > Issue Type: Bug > Reporter: Eduardo Aguinaga > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > There are four places in the Cassandra source code that rely upon a call to > getByAddress() to retrieve an InetAddress object. The information returned by > getByAddress() is not trustworthy. Attackers can spoof DNS entries and > depending on getByAddress alone invites DNS spoofing attacks. > The four places in the Cassandra source code where getByAddress() is used: > MutationVerbHandler.java Line 58 > CompactEndpointSerializationHelper.java Line 38 > InetAddressSerializer.java Line 38, 58 > MutationVerbHandler.java, lines 49-59: > {code:java} > 49 if (from == null) > 50 { > 51 replyTo = message.from; > 52 byte[] forwardBytes = message.parameters.get(Mutation.FORWARD_TO); > 53 if (forwardBytes != null) > 54 forwardToLocalNodes(message.payload, message.verb, forwardBytes, > message.from); > 55 } > 56 else > 57 { > 58 replyTo = InetAddress.getByAddress(from); > 59 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)