Exceptions that are thrown while logging is in progress can prevent successful logging unless special care is taken. Failure to account for exceptions during the logging process causes security vulnerabilities, including denial of service or vulnerabilities that allow an attacker to conceal critical security exceptions by preventing them from being logged. Consequently, programs must ensure that data logging continues to operate correctly even when exceptions are thrown during the logging process.
Noncompliant Code Example
This noncompliant code example uses statements that can throw exceptions while logging is underway. It attempts to log a SecurityException generated within the run() method. However, in the event of an exception thrown while logging is underway, the original log message is lost.
...
- Gaining access to the application's file system and inducing a runtime exception by deleting or changing the permissions of the log file. Although such attacker access appears unlikely, it is possible that an attacker could have access to the physical media from which the application reads data. In this case, an attacker can induce runtime exceptions at the appropriate moment to circumvent logging.
- Providing input to the application via normal input channels that causes multiple threads to attempt to log messages simultaneously. This attack exploits the multi-threaded nature of the application to induce {{OverlappingFileLockException}}s that cause exception logging to fail. This attack vector is much simpler to implement than the previous attack because it makes use of standard input channels rather than requiring access to the file system.
Compliant Solution
This compliant solution uses the thread and exception safe java.util.logging.Logger class to implement logging. Although there are several statements that can throw exceptions, all of them execute before any security critical operations; consequently any exceptions thrown from these statements cannot interfere with logging during the security critical operations. See guideline ERR03-J. Use a logging API to log critical security exceptions for more information on the use of logging libraries.
...
Note that an IOException remains possible in this compliant example. However, there are few alternatives in the absence of a guarantee that the log file is present. Consequently, this recommendation permits a program to reopen a closed log file. Programs should ensure that the log file is properly protected using operating system level permissions, otherwise an IOException may occur.
Risk Assessment
Exceptions thrown during data logging can cause loss of data and can conceal security problems.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
EXC07-J | medium | likely | high | P6 | L2 |
Related Vulnerabilities
Bibliography
| Wiki Markup |
|---|
\[[API 2006|AA. Bibliography#API 06]\] [Class Logger|http://java.sun.com/javase/6/docs/api/java/util/logging/Logger.html] \[[JLS 2005|AA. Bibliography#JLS 05]\] [Chapter 11, Exceptions|http://java.sun.com/docs/books/jls/third_edition/html/exceptions.html] |
...