[
https://issues.apache.org/jira/browse/CASSANDRA-12307?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eduardo Aguinaga updated CASSANDRA-12307:
-----------------------------------------
Description:
Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of
the Cassandra source code. The analysis included an automated analysis using HP
Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The
results of that analysis includes the issue below.
Issue:
Two commands, archiveCommand and restoreCommand, are stored as string
properties and retrieved on lines 91 and 92 of CommitLogArchiver.java. The only
processing performed on the command strings is that tokens are replaced by data
available at runtime.
A malicious command could be entered into the system by storing the malicious
command in place of the valid archiveCommand or restoreCommand. The malicious
command would then be executed on line 265 within the exec method.
Any commands that are stored and retrieved should be verified prior to
execution. Assuming that the command is safe because it is stored as a local
property invites security issues.
{code:java}
CommitLogArchiver.java, lines 91-92:
91 String archiveCommand = commitlog_commands.getProperty("archive_command");
92 String restoreCommand = commitlog_commands.getProperty("restore_command");
CommitLogArchiver.java, lines 129-144:
129 public void maybeArchive(final CommitLogSegment segment)
130 {
131 if (Strings.isNullOrEmpty(archiveCommand))
132 return;
133
134 archivePending.put(segment.getName(), executor.submit(new
WrappedRunnable()
135 {
136 protected void runMayThrow() throws IOException
137 {
138 segment.waitForFinalSync();
139 String command = archiveCommand.replace(""%name"",
segment.getName());
140 command = command.replace(""%path"", segment.getPath());
141 exec(command);
142 }
143 }));
144 }
CommitLogArchiver.java, lines 152-166:
152 public void maybeArchive(final String path, final String name)
153 {
154 if (Strings.isNullOrEmpty(archiveCommand))
155 return;
156
157 archivePending.put(name, executor.submit(new WrappedRunnable()
158 {
159 protected void runMayThrow() throws IOException
160 {
161 String command = archiveCommand.replace("%name", name);
162 command = command.replace("%path", path);
163 exec(command);
164 }
165 }));
166 }
CommitLogArchiver.java, lines 261-266:
261 private void exec(String command) throws IOException
262 {
263 ProcessBuilder pb = new ProcessBuilder(command.split(" "));
264 pb.redirectErrorStream(true);
265 FBUtilities.exec(pb);
266 }
{code}
was:
Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of
the Cassandra source code. The analysis included an automated analysis using HP
Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The
results of that analysis includes the issue below.
Issue:
Two commands, archiveCommand and restoreCommand, are stored as string
properties and retrieved on lines 91 and 92 of CommitLogArchiver.java. The only
processing performed on the command strings is that tokens are replaced by data
available at runtime.
A malicious command could be entered into the system by storing the malicious
command in place of the valid archiveCommand or restoreCommand. The malicious
command would then be executed on line 265 within the exec method.
Any commands that are stored and retrieved should be verified prior to
execution. Assuming that the command is safe because it is stored as a local
property invites security issues.
{code:java}
CommitLogArchiver.java, lines 91-92:
91 String archiveCommand = commitlog_commands.getProperty("archive_command");
92 String restoreCommand = commitlog_commands.getProperty("restore_command");
CommitLogArchiver.java, lines 261-266:
261 private void exec(String command) throws IOException
262 {
263 ProcessBuilder pb = new ProcessBuilder(command.split(" "));
264 pb.redirectErrorStream(true);
265 FBUtilities.exec(pb);
266 }
CommitLogArchiver.java, lines 129-144:
129 public void maybeArchive(final CommitLogSegment segment)
130 {
131 if (Strings.isNullOrEmpty(archiveCommand))
132 return;
133
134 archivePending.put(segment.getName(), executor.submit(new
WrappedRunnable()
135 {
136 protected void runMayThrow() throws IOException
137 {
138 segment.waitForFinalSync();
139 String command = archiveCommand.replace(""%name"",
segment.getName());
140 command = command.replace(""%path"", segment.getPath());
141 exec(command);
142 }
143 }));
144 }
CommitLogArchiver.java, lines 152-166:
152 public void maybeArchive(final String path, final String name)
153 {
154 if (Strings.isNullOrEmpty(archiveCommand))
155 return;
156
157 archivePending.put(name, executor.submit(new WrappedRunnable()
158 {
159 protected void runMayThrow() throws IOException
160 {
161 String command = archiveCommand.replace("%name", name);
162 command = command.replace("%path", path);
163 exec(command);
164 }
165 }));
166 }
{code}
> Command Injection
> -----------------
>
> Key: CASSANDRA-12307
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12307
> Project: Cassandra
> Issue Type: Sub-task
> Reporter: Eduardo Aguinaga
> Priority: Critical
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5
> of the Cassandra source code. The analysis included an automated analysis
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> Two commands, archiveCommand and restoreCommand, are stored as string
> properties and retrieved on lines 91 and 92 of CommitLogArchiver.java. The
> only processing performed on the command strings is that tokens are replaced
> by data available at runtime.
> A malicious command could be entered into the system by storing the malicious
> command in place of the valid archiveCommand or restoreCommand. The malicious
> command would then be executed on line 265 within the exec method.
> Any commands that are stored and retrieved should be verified prior to
> execution. Assuming that the command is safe because it is stored as a local
> property invites security issues.
> {code:java}
> CommitLogArchiver.java, lines 91-92:
> 91 String archiveCommand = commitlog_commands.getProperty("archive_command");
> 92 String restoreCommand = commitlog_commands.getProperty("restore_command");
> CommitLogArchiver.java, lines 129-144:
> 129 public void maybeArchive(final CommitLogSegment segment)
> 130 {
> 131 if (Strings.isNullOrEmpty(archiveCommand))
> 132 return;
> 133
> 134 archivePending.put(segment.getName(), executor.submit(new
> WrappedRunnable()
> 135 {
> 136 protected void runMayThrow() throws IOException
> 137 {
> 138 segment.waitForFinalSync();
> 139 String command = archiveCommand.replace(""%name"",
> segment.getName());
> 140 command = command.replace(""%path"", segment.getPath());
> 141 exec(command);
> 142 }
> 143 }));
> 144 }
> CommitLogArchiver.java, lines 152-166:
> 152 public void maybeArchive(final String path, final String name)
> 153 {
> 154 if (Strings.isNullOrEmpty(archiveCommand))
> 155 return;
> 156
> 157 archivePending.put(name, executor.submit(new WrappedRunnable()
> 158 {
> 159 protected void runMayThrow() throws IOException
> 160 {
> 161 String command = archiveCommand.replace("%name", name);
> 162 command = command.replace("%path", path);
> 163 exec(command);
> 164 }
> 165 }));
> 166 }
> CommitLogArchiver.java, lines 261-266:
> 261 private void exec(String command) throws IOException
> 262 {
> 263 ProcessBuilder pb = new ProcessBuilder(command.split(" "));
> 264 pb.redirectErrorStream(true);
> 265 FBUtilities.exec(pb);
> 266 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
