Page History

...

The java.util.logging class provides the basic logging framework in JDK v1.4 and above; the examples below use the logging framework. The basic principles apply regardless of the particular logging framework chosen.

A program may support multiple levels of sensitivity. Some information, such as access times can be safely logged. Some infomration can be logged, but the log file must be restricted from everyone but particular administrators. Other information, such as credit card numbers can only be logged in encrypted form. Other information, such as passwords, should not be logged at all.

For these code samples, we will assume that the log in question lies outside the trust boundary of the information being sent to it. Also, normal log messages should include additional parameters such as date, time, source event, etc.. We omit them in these examples for the sake of brevity.

Noncompliant Code Example

In this noncompliant code example, a server logs the IP address of the remote client in the event of a security exception. Such data can be misused in various ways, such as building a profile of a user's browsing habits. Such logging may violate legal restrictions in many countries.

If the log cannot be trusted to hold the IP address, it should not hold any info about a SecurityException. When an exception contains sensitive information, the custom MyExceptionReporter class should extract or cleanse it, before returning control to the next statement in the catch block. (See guideline ERR01-J. Use a class dedicated to reporting exceptions.)

public void logRemoteIPAddress(String name) {
  Logger logger = Logger.getLogger("com.organization.Log");
  InetAddress machine = null;
  try {
    machine = InetAddress.getByName(name);
  } catch (UnknownHostException e) { 
    Exception e = MyExceptionReporter.handle(e);
  } catch (SecurityException e) {
    Exception e = MyExceptionReporter.handle(e);
    logger.severe(name + "," + machine.getHostAddress() + "," + e.toString());
  }
} 

Compliant Solution

This compliant solution excludes the sensitive information from the log messagesimply does not log the security exception.

   // ...
  catch (SecurityException e) {
    Exception e = MyExceptionReporter.handle(e);
  logger.log(Level.FINEST, "Security Exception Occurred", e);
}

...

Noncompliant Code Example

Some information that is logged should be elided from console display for security reasons (a possible example might be passenger age). The java.util.logging.Logger class supports different logging levels that can be used for classifying such information. These are FINEST, FINER, FINE, CONFIG, INFO, WARNING and SEVERE. All levels after and including INFO, log the message to the console in addition to an external source.

logger.info(passengerAge);  // displays passenger age on the console 
"Age: " + passengerAge);

By default, log messages with level INFO are displayed to the console.

Compliant Solution

This compliant solution noncompliant code example logs at a level below INFO — FINEST, in this case — to prevent the passenger age from being displayed on the console.

logger.finest(passengerAge); // does not display on the console

Noncompliant Code Example

Sensitive user data can be recorded without deliberate intent; this can occur when the log message records user supplied input. In this noncompliant code example, the user mistakenly enters personal details (such as an SSN) in the occupation field. A suspicious server might throw an exception during input validation and log the entered data so that intrusion detection systems can operate on it. However, logging personally identifiable information is undesirable, and possibly illegalIt also makes sure that such messages do not appear on the console. Thus the age is not actually logged.

StringHandler strhandlers[] = JOptionPanelogger.showInputDialog(null, "Enter your occupation: ", 
"Tax Help Form", 1);

Compliant Solution

Apply a filter to the input to reduce inadvertent logging of sensitive data. This compliant solution uses a simple filter — a check for a string of digits that might have been intended for SSN field that lies above the occupation field — to prevent sensitive data from appearing in the log files. The example filter may be too simplistic for production use; ensure that your filters are sufficient to prevent violation of applicable legal restrictions.

public class MyFilter implements Filter {
  public boolean isLoggable(LogRecord lr) {
    String msg = lr.getMessage();
    if (msg.matches("\\d*")) {  // Filters out any digits
      return false;
    }
    return true;
  }
}

// Set the filter in main code
Logger logger = Logger.getLogger("com.organization.Log");
logger.setFilter(new MyFilter());

...

getHandlers();
for (int i = 0; i < handlers.length; i++) {
  handlers[i].setLevel(Level.INFO);
}
// ...
logger.finest("Age: " + passengerAge);

Risk Assessment

Logging sensitive information can violate system security policies and can violate user privacy when the logging level is incorrect or when the log files are insecure.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Bibliography

\[[API 2006|AA. Bibliography#API 06]\]] Class {{java.util.logging.Logger}}
\[[Chess 2007|AA. Bibliography#Chess 07]\]] 11.1 Privacy and Regulation: Handling Private Information
\[[CVE 2008|AA. Bibliography#CVE 08]\]] [CVE-2005-2990|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2990]
\[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 532|http://cwe.mitre.org/data/definitions/532.html] "Information Leak Through Log Files", [CWE ID 533|http://cwe.mitre.org/data/definitions/533.html] "Information Leak Through Server Log Files", [CWE ID 359|http://cwe.mitre.org/data/definitions/359.html] "Privacy Violation", [CWE ID 542|http://cwe.mitre.org/data/definitions/542.html] "Information Leak Through Cleanup Log Files"
\[[Sun 2006|AA. Bibliography#Sun 06]\]] [Java Logging Overview|http://java.sun.com/javase/6/docs/technotes/guides/logging/overview.html]

...