[ https://issues.apache.org/jira/browse/CASSANDRA-12297?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jonathan Ellis updated CASSANDRA-12297: --------------------------------------- Issue Type: Sub-task (was: Bug) Parent: CASSANDRA-12334 > Privacy VIolation - Heap Inspection > ----------------------------------- > > Key: CASSANDRA-12297 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12297 > Project: Cassandra > Issue Type: Sub-task > Reporter: Eduardo Aguinaga > Assignee: Jason Brown > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included > an automated analysis using HP Fortify v4.21 SCA and a manual analysis > utilizing SciTools Understand v4. The results of that > analysis includes the issue below. > Issue: > In the file PasswordAuthenticator.java on line 129, 164 and 222 a string > object is used to store sensitive data. String objects are immutable and > should not be used to store sensitive data. Sensitive data should be stored > in char or byte arrays and the contents of those arrays should be cleared > ASAP. Operations performed on string objects will require that the original > object be copied and the operation be applied in the new copy of the string > object. This results in the likelihood that multiple copies of sensitive data > being present in the heap until garbage collection takes place. > The snippet below shows the issue on line 129: > PasswordAuthenticator.java, lines 123-134: > {code:java} > 123 public AuthenticatedUser legacyAuthenticate(Map<String, String> > credentials) throws AuthenticationException > 124 { > 125 String username = credentials.get(USERNAME_KEY); > 126 if (username == null) > 127 throw new AuthenticationException(String.format("Required key > '%s' is missing", USERNAME_KEY)); > 128 > 129 String password = credentials.get(PASSWORD_KEY); > 130 if (password == null) > 131 throw new AuthenticationException(String.format("Required key > '%s' is missing", PASSWORD_KEY)); > 132 > 133 return authenticate(username, password); > 134 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)