[ https://issues.apache.org/jira/browse/CASSANDRA-12310?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jonathan Ellis updated CASSANDRA-12310: --------------------------------------- Issue Type: Sub-task (was: Bug) Parent: CASSANDRA-12334 > Use of getByName() to retrieve IP address > ----------------------------------------- > > Key: CASSANDRA-12310 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12310 > Project: Cassandra > Issue Type: Sub-task > Reporter: Eduardo Aguinaga > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > There are many places in the Cassandra source code that rely upon a call to > getByName() to retrieve an IP address. The information returned by > getByName() is not trustworthy. Attackers can spoof DNS entries and depending > on getByName alone invites DNS spoofing attacks. > getByName() is used in multiple locations within the CASSANDRA source code: > DatabaseDescriptor.java Line 193, 213, 233, 254, 947, 949 > RingCache.java Line 82 > InetAddressType.java Line 52 > FailureDetector.java Line 186 > Gossiper.java Line 228, 571, 1517, 1522 > CqlBulkRecordWriter.java Line 142, 301 > HintsService.java Line 265 > DynamicEndpointSnitch.java Line 320 > Ec2MultiRegionSnitch.java Line 49 > EndpointSnitchInfo.java Line 46, 51 > PropertyFileSnitch.java Line 175 > ReconnectableSnitchHelper.java Line 52 > SimpleSeedProvider.java Line 55 > MessagingService.java Line 943 > StorageService.java Line 1766, 1835, 2526 > ProgressInfoCompositeData.java Line 96 > SessionInfoCompositeData.java Line 126, 127 > BulkLoader.java Line 399, 422 > SetHostStat.java Line 50 > This is an example from the file DatabaseDescriptor.java where there are > examples of the use of getByName() on line 193, 213, 233, 254, 947 and 949. > DatabaseDescriptor.java, lines 231-238: > {code:java} > 231 try > 232 { > 233 rpcAddress = InetAddress.getByName(config.rpc_address); > 234 } > 235 catch (UnknownHostException e) > 236 { > 237 throw new ConfigurationException("Unknown host in rpc_address " + > config.rpc_address, false); > 238 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)