This is an automated email from the ASF dual-hosted git repository. mck pushed a commit to branch cassandra-4.1 in repository https://gitbox.apache.org/repos/asf/cassandra.git
commit fbb3079144851e704a7912b8630f72c9345e0bb5 Merge: 0aa4ef1a8e 9a24fa81e5 Author: Mick Semb Wever <[email protected]> AuthorDate: Tue Oct 18 22:54:11 2022 +0200 Merge branch 'cassandra-4.0' into cassandra-4.1 * cassandra-4.0: Fix JMX security vulnerabilities CHANGES.txt | 1 + ide/idea/workspace.xml | 2 +- .../cassandra/auth/jmx/AuthorizationProxy.java | 70 ++++++++++++++++++++++ 3 files changed, 72 insertions(+), 1 deletion(-) diff --cc CHANGES.txt index d5a1ce2416,19fe614a29..ed8ea6eea5 --- a/CHANGES.txt +++ b/CHANGES.txt @@@ -7,46 -5,22 +7,47 @@@ Merged from 4.0 Merged from 3.11: * Suppress CVE-2022-42003 and CVE-2022-42004 (CASSANDRA-17966) * Make LongBufferPoolTest insensitive to timing (CASSANDRA-16681) - * Suppress CVE-2022-25857 and other snakeyaml CVEs (CASSANDRA-17907) - * Fix potential IndexOutOfBoundsException in PagingState in mixed mode clusters (CASSANDRA-17840) Merged from 3.0: + * Harden JMX by resolving beanshooter issues (CASSANDRA-17921) * Suppress CVE-2019-2684 (CASSANDRA-17965) * Fix auto-completing "WITH" when creating a materialized view (CASSANDRA-17879) - * Fix scrubber falling into infinite loop when the last partition is broken (CASSANDRA-17862) - * Fix resetting schema (CASSANDRA-17819) -4.0.6 +4.1-beta1 + * We should not emit deprecation warning on startup for `key_cache_save_period`, `row_cache_save_period`, `counter_cache_save_period` (CASSANDRA-17904) + * upsert with adder support is not consistent with numbers and strings in LWT (CASSANDRA-17857) + * Fix race and return after failing connections (CASSANDRA-17618) + * Speculative execution threshold unit mismatch (CASSANDRA-17877) + * Fix BulkLoader to load entireSSTableThrottle and entireSSTableInterDcThrottle (CASSANDRA-17677) + * Fix a race condition where a keyspace can be oopened while it is being removed (CASSANDRA-17658) + * DatabaseDescriptor will set the default failure detector during client initialization (CASSANDRA-17782) + * Avoid initializing schema via SystemKeyspace.getPreferredIP() with the BulkLoader tool (CASSANDRA-17740) + * Improve JMX methods signatures, fix JMX and config backward compatibility (CASSANDRA-17725) + * Fix sstable_preemptive_open_interval disabled value. sstable_preemptive_open_interval = null backward compatible with + sstable_preemptive_open_interval_in_mb = -1 (CASSANDRA-17737) + * Remove usages of Path#toFile() in the snapshot apparatus (CASSANDRA-17769) + * Fix Settings Virtual Table to update paxos_variant after startup and rename enable_uuid_sstable_identifiers to + uuid_sstable_identifiers_enabled as per our config naming conventions (CASSANDRA-17738) + * index_summary_resize_interval_in_minutes = -1 is equivalent to index_summary_resize_interval being set to null or + disabled. JMX MBean IndexSummaryManager, setResizeIntervalInMinutes method still takes resizeIntervalInMinutes = -1 for disabled (CASSANDRA-17735) + * min_tracked_partition_size_bytes parameter from 4.1 alpha1 was renamed to min_tracked_partition_size (CASSANDRA-17733) + * Remove commons-lang dependency during build runtime (CASSANDRA-17724) + * Relax synchronization on StreamSession#onError() to avoid deadlock (CASSANDRA-17706) + * Fix AbstractCell#toString throws MarshalException for cell in collection (CASSANDRA-17695) + * Add new vtable output option to compactionstats (CASSANDRA-17683) + * Fix commitLogUpperBound initialization in AbstractMemtableWithCommitlog (CASSANDRA-17587) + * Fix widening to long in getBatchSizeFailThreshold (CASSANDRA-17650) + * Fix widening from mebibytes to bytes in IntMebibytesBound (CASSANDRA-17716) + * Revert breaking change in nodetool clientstats and expose cient options through nodetool clientstats --client-options. (CASSANDRA-17715) + * Fix missed nowInSec values in QueryProcessor (CASSANDRA-17458) + * Revert removal of withBufferSizeInMB(int size) in CQLSSTableWriter.Builder class and deprecate it in favor of withBufferSizeInMiB(int size) (CASSANDRA-17675) + * Remove expired snapshots of dropped tables after restart (CASSANDRA-17619) +Merged from 4.0: + * Mitigate direct buffer memory OOM on replacements (CASSANDRA-17895) + * Fix repair failure on assertion if two peers have overlapping mismatching ranges (CASSANDRA-17900) + * Better handle null state in Gossip schema migration to avoid NPE (CASSANDRA-17864) + * HintedHandoffAddRemoveNodesTest now accounts for the fact that StorageMetrics.totalHints is not updated synchronously w/ writes (CASSANDRA-16679) + * Avoid getting hanging repairs due to repair message timeouts (CASSANDRA-17613) + * Prevent infinite loop in repair coordinator on FailSession (CASSANDRA-17834) * Fix race condition on updating cdc size and advancing to next segment (CASSANDRA-17792) * Add 'noboolean' rpm build for older distros like CentOS7 (CASSANDRA-17765) * Fix default value for compaction_throughput_mb_per_sec in Config class to match the one in cassandra.yaml (CASSANDRA-17790) diff --cc ide/idea/workspace.xml index e35ba90ac7,6581dcecd6..8851d7e283 --- a/ide/idea/workspace.xml +++ b/ide/idea/workspace.xml @@@ -187,7 -187,7 +187,7 @@@ <configuration default="false" name="Cassandra" type="Application" factoryName="Application"> <extension name="coverage" enabled="false" merge="false" sample_coverage="true" runner="idea" /> <option name="MAIN_CLASS_NAME" value="org.apache.cassandra.service.CassandraDaemon" /> - <option name="VM_PARAMETERS" value="-Dcassandra-foreground=yes -Dcassandra.config=file://$PROJECT_DIR$/conf/cassandra.yaml -Dcassandra.storagedir=$PROJECT_DIR$/data -Dlogback.configurationFile=file://$PROJECT_DIR$/conf/logback.xml -Dcassandra.logdir=$PROJECT_DIR$/data/logs -Djava.library.path=$PROJECT_DIR$/lib/sigar-bin -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=7199 -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate [...] - <option name="VM_PARAMETERS" value="-Dcassandra-foreground=yes -Dcassandra.config=file://$PROJECT_DIR$/conf/cassandra.yaml -Dcassandra.storagedir=$PROJECT_DIR$/data -Dlogback.configurationFile=file://$PROJECT_DIR$/conf/logback.xml -Dcassandra.logdir=$PROJECT_DIR$/data/logs -Djava.library.path=$PROJECT_DIR$/lib/sigar-bin -Dcassandra.jmx.local.port=7199 -ea -Xmx1G" /> ++ <option name="VM_PARAMETERS" value="-Dcassandra-foreground=yes -Dcassandra.config=file://$PROJECT_DIR$/conf/cassandra.yaml -Dcassandra.storagedir=$PROJECT_DIR$/data -Dlogback.configurationFile=file://$PROJECT_DIR$/conf/logback.xml -Dcassandra.logdir=$PROJECT_DIR$/data/logs -Djava.library.path=$PROJECT_DIR$/lib/sigar-bin -Dcassandra.jmx.local.port=7199 -ea -Xmx1G -Dcassandra.reads.thresholds.coordinator.defensive_checks_enabled=true" /> <option name="PROGRAM_PARAMETERS" value="" /> <option name="WORKING_DIRECTORY" value="file://$PROJECT_DIR$" /> <option name="ALTERNATIVE_JRE_PATH_ENABLED" value="false" /> diff --cc src/java/org/apache/cassandra/auth/jmx/AuthorizationProxy.java index 613a1bd440,36c552c700..afc8b46e7c --- a/src/java/org/apache/cassandra/auth/jmx/AuthorizationProxy.java +++ b/src/java/org/apache/cassandra/auth/jmx/AuthorizationProxy.java @@@ -478,12 -481,76 +483,77 @@@ public class AuthorizationProxy impleme .collect(Collectors.toSet()); } + private void checkVulnerableMethods(Object args[]) + { + assert args.length == 4; + ObjectName name; + String operationName; + Object[] params; + String[] signature; + try + { + name = (ObjectName) args[0]; + operationName = (String) args[1]; + params = (Object[]) args[2]; + signature = (String[]) args[3]; + } + catch (ClassCastException cce) + { + logger.warn("Could not interpret arguments to check vulnerable MBean invocations; did the MBeanServer interface change?", cce); + return; + } + + // When adding compiler directives from a file, most JDKs will log the file contents if invalid, which + // leads to an arbitrary file read vulnerability + checkCompilerDirectiveAddMethods(name, operationName); + + // Loading arbitrary (JVM and native) libraries from remotes + checkJvmtiLoad(name, operationName); + checkMLetMethods(name, operationName); + } + + private void checkCompilerDirectiveAddMethods(ObjectName name, String operation) + { + if (name.getCanonicalName().equals("com.sun.management:type=DiagnosticCommand") + && operation.equals("compilerDirectivesAdd")) + throw new SecurityException("Access is denied!"); + } + + private void checkJvmtiLoad(ObjectName name, String operation) + { + if (name.getCanonicalName().equals("com.sun.management:type=DiagnosticCommand") + && operation.equals("jvmtiAgentLoad")) + throw new SecurityException("Access is denied!"); + } + + private void checkMLetMethods(ObjectName name, String operation) + { + // Inspired by MBeanServerAccessController, but that class ignores check if a SecurityManager is installed, + // which we don't want + + if (operation == null) + return; + + try + { + if (!mbs.isInstanceOf(name, "javax.management.loading.MLet")) + return; + } + catch (InstanceNotFoundException infe) + { + return; + } + + if (operation.equals("addURL") || operation.equals("getMBeansFromURL")) + throw new SecurityException("Access is denied!"); + } + - private static final class JMXPermissionsCache extends AuthCache<RoleResource, Set<PermissionDetails>> + public static final class JmxPermissionsCache extends AuthCache<RoleResource, Set<PermissionDetails>> + implements JmxPermissionsCacheMBean { - protected JMXPermissionsCache() + protected JmxPermissionsCache() { - super("JMXPermissionsCache", + super(CACHE_NAME, DatabaseDescriptor::setPermissionsValidity, DatabaseDescriptor::getPermissionsValidity, DatabaseDescriptor::setPermissionsUpdateInterval, --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
