[ https://issues.apache.org/jira/browse/CASSANDRA-12548?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dave Brosius updated CASSANDRA-12548: ------------------------------------- Priority: Minor (was: Major) > Improper Neutralization of Special Elements used in a Command ('Command > Injection'), Improper Neutralization of Special Elements used in an OS > Command ('OS Command Injection') > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: CASSANDRA-12548 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12548 > Project: Cassandra > Issue Type: Sub-task > Reporter: Eduardo Aguinaga > Priority: Minor > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > The software constructs all or part of a command using externally-influenced > input from an upstream component, but it does not neutralize or incorrectly > neutralizes special elements that could modify the intended command when it > is sent to a downstream component. > The source file CommitLogArchiver.java retrieves commands stored as system > properties and executes these commands after replacing tokens with relevant > data. The commands retrieved are not verified to ensure that the commands do > not contain malicious content. An adversary could perform part of its attack > on Cassandra by replacing the "archive_command" or "restore_command" property > with commands to achieve their goal. > Line numbers 141, 163, 251 and 265 > {code:java} > CommitLogArchiver.java, lines 91-92: > 91 String archiveCommand = commitlog_commands.getProperty("archive_command"); > 92 String restoreCommand = commitlog_commands.getProperty("restore_command"); > CommitLogArchiver.java, lines 129-144: > 129 public void maybeArchive(final CommitLogSegment segment) > 130 { > 131 if (Strings.isNullOrEmpty(archiveCommand)) > 132 return; > 133 > 134 archivePending.put(segment.getName(), executor.submit(new > WrappedRunnable() > 135 { > 136 protected void runMayThrow() throws IOException > 137 { > 138 segment.waitForFinalSync(); > 139 String command = archiveCommand.replace("%name", > segment.getName()); > 140 command = command.replace("%path", segment.getPath()); > 141 exec(command); > 142 } > 143 })); > 144 } > CommitLogArchiver.java, lines 261-266: > 261 private void exec(String command) throws IOException > 262 { > 263 ProcessBuilder pb = new ProcessBuilder(command.split(" ")); > 264 pb.redirectErrorStream(true); > 265 FBUtilities.exec(pb); > 266 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)