[
https://issues.apache.org/jira/browse/CASSANDRA-12548?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dave Brosius updated CASSANDRA-12548:
-------------------------------------
Priority: Minor (was: Major)
> Improper Neutralization of Special Elements used in a Command ('Command
> Injection'), Improper Neutralization of Special Elements used in an OS
> Command ('OS Command Injection')
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-12548
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12548
> Project: Cassandra
> Issue Type: Sub-task
> Reporter: Eduardo Aguinaga
> Priority: Minor
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5
> of the Cassandra source code. The analysis included an automated analysis
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> The software constructs all or part of a command using externally-influenced
> input from an upstream component, but it does not neutralize or incorrectly
> neutralizes special elements that could modify the intended command when it
> is sent to a downstream component.
> The source file CommitLogArchiver.java retrieves commands stored as system
> properties and executes these commands after replacing tokens with relevant
> data. The commands retrieved are not verified to ensure that the commands do
> not contain malicious content. An adversary could perform part of its attack
> on Cassandra by replacing the "archive_command" or "restore_command" property
> with commands to achieve their goal.
> Line numbers 141, 163, 251 and 265
> {code:java}
> CommitLogArchiver.java, lines 91-92:
> 91 String archiveCommand = commitlog_commands.getProperty("archive_command");
> 92 String restoreCommand = commitlog_commands.getProperty("restore_command");
> CommitLogArchiver.java, lines 129-144:
> 129 public void maybeArchive(final CommitLogSegment segment)
> 130 {
> 131 if (Strings.isNullOrEmpty(archiveCommand))
> 132 return;
> 133
> 134 archivePending.put(segment.getName(), executor.submit(new
> WrappedRunnable()
> 135 {
> 136 protected void runMayThrow() throws IOException
> 137 {
> 138 segment.waitForFinalSync();
> 139 String command = archiveCommand.replace("%name",
> segment.getName());
> 140 command = command.replace("%path", segment.getPath());
> 141 exec(command);
> 142 }
> 143 }));
> 144 }
> CommitLogArchiver.java, lines 261-266:
> 261 private void exec(String command) throws IOException
> 262 {
> 263 ProcessBuilder pb = new ProcessBuilder(command.split(" "));
> 264 pb.redirectErrorStream(true);
> 265 FBUtilities.exec(pb);
> 266 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
