[ https://issues.apache.org/jira/browse/CASSANDRA-12327?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jonathan Ellis updated CASSANDRA-12327: --------------------------------------- Issue Type: Sub-task (was: Bug) Parent: CASSANDRA-12334 > Use of getAllByName() to retrieve IP addresses > ---------------------------------------------- > > Key: CASSANDRA-12327 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12327 > Project: Cassandra > Issue Type: Sub-task > Reporter: Eduardo Aguinaga > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > Use of getAllByName() to retrieve an IP addresses is not trustworthy. > Attackers can spoof DNS entries. > The file LimitedLocalNodeFirstLocalBalancingPolicy.java calls getAllByName() > on line 66. > LimitedLocalNodeFirstLocalBalancingPolicy.java, lines 64-72: > {code:java} > 64 try > 65 { > 66 InetAddress[] addresses = InetAddress.getAllByName(replica); > 67 Collections.addAll(replicaAddresses, addresses); > 68 } > 69 catch (UnknownHostException e) > 70 { > 71 logger.warn("Invalid replica host name: {}, skipping it", replica); > 72 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)