[ https://issues.apache.org/jira/browse/CASSANDRA-12307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15447444#comment-15447444 ]
Dave Brosius commented on CASSANDRA-12307: ------------------------------------------ i'd have to agree with Chris. They are modifying a file inside the cassandra jar. If they can do that, they can do anything, including replacing class files with their own. > Command Injection > ----------------- > > Key: CASSANDRA-12307 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12307 > Project: Cassandra > Issue Type: Sub-task > Reporter: Eduardo Aguinaga > Priority: Critical > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > Two commands, archiveCommand and restoreCommand, are stored as string > properties and retrieved on lines 91 and 92 of CommitLogArchiver.java. The > only processing performed on the command strings is that tokens are replaced > by data available at runtime. > A malicious command could be entered into the system by storing the malicious > command in place of the valid archiveCommand or restoreCommand. The malicious > command would then be executed on line 265 within the exec method. > Any commands that are stored and retrieved should be verified prior to > execution. Assuming that the command is safe because it is stored as a local > property invites security issues. > {code:java} > CommitLogArchiver.java, lines 91-92: > 91 String archiveCommand = commitlog_commands.getProperty("archive_command"); > 92 String restoreCommand = commitlog_commands.getProperty("restore_command"); > CommitLogArchiver.java, lines 129-144: > 129 public void maybeArchive(final CommitLogSegment segment) > 130 { > 131 if (Strings.isNullOrEmpty(archiveCommand)) > 132 return; > 133 > 134 archivePending.put(segment.getName(), executor.submit(new > WrappedRunnable() > 135 { > 136 protected void runMayThrow() throws IOException > 137 { > 138 segment.waitForFinalSync(); > 139 String command = archiveCommand.replace(""%name"", > segment.getName()); > 140 command = command.replace(""%path"", segment.getPath()); > 141 exec(command); > 142 } > 143 })); > 144 } > CommitLogArchiver.java, lines 152-166: > 152 public void maybeArchive(final String path, final String name) > 153 { > 154 if (Strings.isNullOrEmpty(archiveCommand)) > 155 return; > 156 > 157 archivePending.put(name, executor.submit(new WrappedRunnable() > 158 { > 159 protected void runMayThrow() throws IOException > 160 { > 161 String command = archiveCommand.replace("%name", name); > 162 command = command.replace("%path", path); > 163 exec(command); > 164 } > 165 })); > 166 } > CommitLogArchiver.java, lines 261-266: > 261 private void exec(String command) throws IOException > 262 { > 263 ProcessBuilder pb = new ProcessBuilder(command.split(" ")); > 264 pb.redirectErrorStream(true); > 265 FBUtilities.exec(pb); > 266 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)