[
https://issues.apache.org/jira/browse/CASSANDRA-12540?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Stupp updated CASSANDRA-12540:
-------------------------------------
Reviewer: (was: Robert Stupp)
> Password Management: Hardcoded Password
> ---------------------------------------
>
> Key: CASSANDRA-12540
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12540
> Project: Cassandra
> Issue Type: Sub-task
> Components: Feature/Authorization
> Reporter: Eduardo Aguinaga
> Priority: Major
> Attachments: 12540-trunk.patch
>
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5
> of the Cassandra source code. The analysis included an automated analysis
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> In the file EncryptionOptions.java there are hard coded passwords on lines 23
> and 25.
> {code:java}
> EncryptionOptions.java, lines 20-30:
> 20 public abstract class EncryptionOptions
> 21 {
> 22 public String keystore = "conf/.keystore";
> 23 public String keystore_password = "cassandra";
> 24 public String truststore = "conf/.truststore";
> 25 public String truststore_password = "cassandra";
> 26 public String[] cipher_suites = {
> 27 "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA",
> 28 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
> "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
> 29 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
> "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
> 30 };
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
