[
https://issues.apache.org/jira/browse/CASSANDRA-12307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15447444#comment-15447444
]
Dave Brosius edited comment on CASSANDRA-12307 at 8/29/16 11:51 PM:
--------------------------------------------------------------------
i'd have to agree with Chris. They are modifying a file inside the cassandra
jar. If they can do that, they can do anything, including replacing class files
with their own.
i suppose we could validate that the file actually did come from withing the
jar, and not some other auxilliary classpath root.
...or jar sealing
was (Author: dbrosius):
i'd have to agree with Chris. They are modifying a file inside the cassandra
jar. If they can do that, they can do anything, including replacing class files
with their own.
i suppose we could validate that the file actually did come from withing the
jar, and not some other auxilliary classpath root.
> Command Injection
> -----------------
>
> Key: CASSANDRA-12307
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12307
> Project: Cassandra
> Issue Type: Sub-task
> Reporter: Eduardo Aguinaga
> Priority: Critical
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5
> of the Cassandra source code. The analysis included an automated analysis
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> Two commands, archiveCommand and restoreCommand, are stored as string
> properties and retrieved on lines 91 and 92 of CommitLogArchiver.java. The
> only processing performed on the command strings is that tokens are replaced
> by data available at runtime.
> A malicious command could be entered into the system by storing the malicious
> command in place of the valid archiveCommand or restoreCommand. The malicious
> command would then be executed on line 265 within the exec method.
> Any commands that are stored and retrieved should be verified prior to
> execution. Assuming that the command is safe because it is stored as a local
> property invites security issues.
> {code:java}
> CommitLogArchiver.java, lines 91-92:
> 91 String archiveCommand = commitlog_commands.getProperty("archive_command");
> 92 String restoreCommand = commitlog_commands.getProperty("restore_command");
> CommitLogArchiver.java, lines 129-144:
> 129 public void maybeArchive(final CommitLogSegment segment)
> 130 {
> 131 if (Strings.isNullOrEmpty(archiveCommand))
> 132 return;
> 133
> 134 archivePending.put(segment.getName(), executor.submit(new
> WrappedRunnable()
> 135 {
> 136 protected void runMayThrow() throws IOException
> 137 {
> 138 segment.waitForFinalSync();
> 139 String command = archiveCommand.replace(""%name"",
> segment.getName());
> 140 command = command.replace(""%path"", segment.getPath());
> 141 exec(command);
> 142 }
> 143 }));
> 144 }
> CommitLogArchiver.java, lines 152-166:
> 152 public void maybeArchive(final String path, final String name)
> 153 {
> 154 if (Strings.isNullOrEmpty(archiveCommand))
> 155 return;
> 156
> 157 archivePending.put(name, executor.submit(new WrappedRunnable()
> 158 {
> 159 protected void runMayThrow() throws IOException
> 160 {
> 161 String command = archiveCommand.replace("%name", name);
> 162 command = command.replace("%path", path);
> 163 exec(command);
> 164 }
> 165 }));
> 166 }
> CommitLogArchiver.java, lines 261-266:
> 261 private void exec(String command) throws IOException
> 262 {
> 263 ProcessBuilder pb = new ProcessBuilder(command.split(" "));
> 264 pb.redirectErrorStream(true);
> 265 FBUtilities.exec(pb);
> 266 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
