[jira] [Updated] (CASSANDRA-12299) Privacy Violation - Heap Inspection

Wed, 27 Jul 2016 14:36:52 -0700 

     [ 
https://issues.apache.org/jira/browse/CASSANDRA-12299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jonathan Ellis updated CASSANDRA-12299:
---------------------------------------
    Issue Type: Sub-task  (was: Bug)
        Parent: CASSANDRA-12334

> Privacy Violation - Heap Inspection
> -----------------------------------
>
>                 Key: CASSANDRA-12299
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12299
>             Project: Cassandra
>          Issue Type: Sub-task
>            Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 
> of the Cassandra source code. The analysis included an automated analysis 
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools 
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> In the file CqlConfigHelper.java on lines 508, 533, 534 and 592 a string 
> object is used to store sensitive data. String objects are immutable and 
> should not be used to store sensitive data. Sensitive data should be stored 
> in char or byte arrays and the contents of those arrays should be cleared 
> ASAP. Operations performed on string objects will require that the original 
> object be copied and the operation be applied in the new copy of the string 
> object. This results in the likelihood that multiple copies of sensitive data 
> will be present in the heap until garbage collection takes place.
> The snippet below shows the issue on line 508:
> CqlConfigHelper.java, lines 505-518:
> {code:java}
> 505 private static Optional<AuthProvider> 
> getDefaultAuthProvider(Configuration conf)
> 506 {
> 507     Optional<String> username = getStringSetting(USERNAME, conf);
> 508     Optional<String> password = getStringSetting(PASSWORD, conf);
> 509 
> 510     if (username.isPresent() && password.isPresent())
> 511     {
> 512         return Optional.of(new PlainTextAuthProvider(username.get(), 
> password.get()));
> 513     }
> 514     else
> 515     {
> 516         return Optional.absent();
> 517     }
> 518 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to